Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable fork PRs CI to run codecov #270

Merged
merged 1 commit into from
May 21, 2024
Merged

Enable fork PRs CI to run codecov #270

merged 1 commit into from
May 21, 2024

Conversation

p4checo
Copy link
Member

@p4checo p4checo commented May 17, 2024
edited
Loading

Checklist

Motivation and Context

For security reasons, fork PRs don't have access to secrets if we use pull_request in GH Actions CI spec, only if we use pull_request_target, which has its own security implications. See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Codecov status reporting in CI requires a token, so for fork PRs to be able to do so we migrated to pull_request_target with the caveat that MRs have to be labelled and have the run ci label applied, which can only be done by someone with triage access to the repo.

This should give us a good compromise in terms of security.

Note ⚠️

CI isn't running with these changes, because pull_request_target runs the workflow from the target branch, so only once this gets merged to master will the workflow actually run as "expected".

Description

Update ci.yml specification to allow fork PRs CI to run codecov, but only when labelled with the run ci label.

@p4checo p4checo changed the title Enable fork prs ci to run codecov Enable fork PRs CI to run codecov May 17, 2024
@p4checo
Enable fork PRs CI to run codecov
ee99bcd 
For security reasons, fork PRs don't have access to secrets if we use
`pull_request` in GH Actions CI spec, only if we use
`pull_request_target`, which has its own security implications. See
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Codecov status reporting in CI requires a token, so for fork PRs to
be able to do so we migrated to `pull_request_target` with the caveat
that MRs have to be labelled and have the `run ci` label applied,
which can only be done by someone with triage access to the repo. PRs
originating from the original repo shouldn't require a label.

This should give us a good compromise in terms of security.
@p4checo p4checo force-pushed the enable-fork-prs-ci-to-run-codecov branch from d094e80 to ee99bcd Compare May 17, 2024 13:50
@p4checo p4checo requested a review from a team May 17, 2024 13:52
@p4checo p4checo merged commit 16b0d17 into master May 21, 2024
2 checks passed
@p4checo p4checo deleted the enable-fork-prs-ci-to-run-codecov branch May 21, 2024 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedroseruca pedroseruca pedroseruca approved these changes

Assignees
No one assigned
Labels
maintenance project setup
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@p4checo @pedroseruca @201flaviosilva