Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat PRs with agit flow as fork PRs when triggering actions. #23884

Merged
merged 4 commits into from Apr 6, 2023
Merged

Treat PRs with agit flow as fork PRs when triggering actions. #23884

merged 4 commits into from Apr 6, 2023

Conversation

wolfogre
Copy link
Member

@wolfogre wolfogre commented Apr 3, 2023

There is no fork concept in agit flow, anyone with read permission can push refs/for/<target-branch>/<topic-branch> to the repo. So we should treat it as a fork pull request because it may be from an untrusted user.

@wolfogre wolfogre added type/enhancement An improvement of existing functionality topic/gitea-actions related to the actions of Gitea outdated/backport/v1.19 This PR should be backported to Gitea 1.19 labels Apr 3, 2023
@wolfogre wolfogre added this to the 1.20.0 milestone Apr 3, 2023
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Apr 3, 2023
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Apr 6, 2023
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 6, 2023
@jolheiser jolheiser enabled auto-merge (squash) April 6, 2023 20:02
@jolheiser
Copy link
Member

🎺 🤖

@jolheiser jolheiser merged commit d92909f into go-gitea:main Apr 6, 2023
2 checks passed
@GiteaBot
Copy link
Contributor

GiteaBot commented Apr 6, 2023

I was unable to create a backport for 1.19. @wolfogre, please send one manually. 🍵

@GiteaBot GiteaBot added the backport/manual No power to the bots! Create your backport yourself! label Apr 6, 2023
@jolheiser jolheiser removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Apr 6, 2023
wolfogre added a commit to wolfogre/gitea that referenced this pull request Apr 7, 2023
@wolfogre
Treat PRs with agit flow as fork PRs when triggering actions. (go-git…
cea9d4e 
…ea#23884)

There is no fork concept in agit flow, anyone with read permission can
push `refs/for/<target-branch>/<topic-branch>` to the repo. So we should
treat it as a fork pull request because it may be from an untrusted
user.
@wolfogre wolfogre mentioned this pull request Apr 7, 2023
Merged
@wolfogre wolfogre added the backport/done All backports for this PR have been created label Apr 7, 2023
zjjhot added a commit to zjjhot/gitea that referenced this pull request Apr 7, 2023
@zjjhot
Merge remote-tracking branch 'upstream/main'
f7b0d7e 
* upstream/main:
  Clean template/helper.go (go-gitea#23922)
  Remove `Repository.getFilesChanged` to fix Actions `paths` and `paths-ignore` filter (go-gitea#23920)
  Hardcode path to docker images (go-gitea#23955)
  Title can be empty when creating tag only (go-gitea#23917)
  Actions: Use default branch as ref when a branch/tag delete occurs (go-gitea#23910)
  Refactor authors dropdown (send get request from frontend to avoid long wait time) (go-gitea#23890)
  [skip ci] Updated translations via Crowdin
  Merge `push to create`, `open PR from push`, and `push options` docs articles into one (go-gitea#23744)
  Delete deleted release attachments immediately from storage (go-gitea#23913)
  More specific and unique feed name for NuGet install command template. (go-gitea#23889)
  Treat PRs with agit flow as fork PRs when triggering actions. (go-gitea#23884)
  Use graceful editorconfig loader to reduce errors when loading malformed editorconfigs (go-gitea#21257)
  Remove -v from vulncheck (go-gitea#23953)
  Improve permission check of packages (go-gitea#23879)
  Adjust some documentations titles (go-gitea#23941)
jolheiser pushed a commit that referenced this pull request Apr 7, 2023
@wolfogre
Treat PRs with agit flow as fork PRs when triggering actions. (#23884) (
0487e39 
#23967)

Backport #23884.

There is no fork concept in agit flow, anyone with read permission can
push `refs/for/<target-branch>/<topic-branch>` to the repo. So we should
treat it as a fork pull request because it may be from an untrusted
user.
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Aug 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@a1012112796 a1012112796 a1012112796 approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created backport/manual No power to the bots! Create your backport yourself! lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. outdated/backport/v1.19 This PR should be backported to Gitea 1.19 topic/gitea-actions related to the actions of Gitea type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.20.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@wolfogre @jolheiser @GiteaBot @lunny @a1012112796