Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: Code Review Failing in PR #38

Closed
niklasdewally opened this issue Nov 3, 2023 · 2 comments
Closed

CI: Code Review Failing in PR #38

niklasdewally opened this issue Nov 3, 2023 · 2 comments

Comments

@niklasdewally
Copy link
Contributor

niklasdewally commented Nov 3, 2023
edited
Loading

Actions that run on code that lives on a fork of this repository (for example, pull requests) can only have a readonly token to the repository.

https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

This causes code coverage CI to fail.

This needs a more complex security model.
@niklasdewally niklasdewally mentioned this issue Nov 3, 2023
Merged
@niklasdewally
Copy link
Contributor Author

https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

TL;DR
should use readonly pull_request workflow to run arbitrary code then save coverage report to an artifact.
using workflow_run, start a read-write pull_request_target workflow to deploy this to GH actions. This avoids secrets leakage from actions down into arbitrary user code.

niklasdewally added a commit to niklasdewally/conjure-oxide that referenced this issue Nov 4, 2023
@niklasdewally
CI: fix conjure-cp#38
9bb6f80
@niklasdewally
Copy link
Contributor Author

#37

ozgurakgun added a commit that referenced this issue Nov 4, 2023
@ozgurakgun
Merge pull request #37 from niklasdewally/pr/ci-fixes
6ae77bc 
CI Tweaks, Fix #38, and Single Cache
@niklasdewally niklasdewally mentioned this issue Nov 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@niklasdewally