[Security]: enable CI (GitHub Actions) on external contributions #630
Comments
ldez
changed the title
ldez
changed the title
pierre-emmanuelJ
pushed a commit
that referenced
this issue
May 1, 2024
Runs the CI on PR coming from forks. Fixes #630
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#627 (comment)
Currently, you never run CI on external contributions.
So that means after reviewing a PR you run it locally on your computer.
I think that is a security problem more than using GitHub Action on PR from the forks.
The run of the GitHub Actions is controlled by repository settings:
https://github.com/exoscale/egoscale/settings/actions
You should check this option "Require approval for all outside collaborators" and the CI will only run after a CI approval (not a PR approval).
Also, the secrets are never used with a PR from forks, so using forks instead of branches is a lot more secure.
Creating PR from a branch of a repository allows access to secrets, this is a security problem.
I think you should update your security practices and policies.
Related to #627
The text was updated successfully, but these errors were encountered: