-
-
Notifications
You must be signed in to change notification settings - Fork 720
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify that PR creator is a member of the website-write team #6971
base: gh-pages
Are you sure you want to change the base?
Conversation
Fix Conflicts
…verify-pr-author-3906 Syncing with gh-pages
…verify-pr-author-3906 Re-sync with upstream repository
…verify-pr-creator-3906 Sync with upstream
Want to review this pull request? Take a look at this documentation for a step by step guide! From your project repository, check out a new branch and test the changes.
|
availability: |
Availability: Weekdays 5PM - 9PM |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @ajb176 Great job with this- I tested in my repo with both a my name and a non-hfla name. The PR authored by the non-member was closed and the message was posted on the issue. So everything works well.
I have some comments:
- I think that I could see this both ways, but here is the question: did you consider adding this as another job in the
pull-request-trigger.yml
workflow? It seems this job could belong there, but the counter-argument is thatpr-instructions.yml
is independent so why not this one? - Regarding the job itself, there are other times that we need to check team membership and I believe that this should be pulled into a javascript file in the utils folder,
check-team-membership.js
or something. Then we can reuse this module in other workflows. - Assuming that you do create the js file, owner could be defined in terms of
context.repo.owner
and repo in terms ofcontext.repo.repo
- minor thing, but notice you are using the earlier version of the API on line 19 with
await github.rest.teams.getMembershipForUserInOrg
instead of the current version similar to lines 27 and 33., e.g.await github.request('GET /orgs/{org}/teams/{team_slug}/memberships/{username}
- (FYI we might(???) need to convert the API over to GraphQL in several months. But not worrying about that right now...)
Again, everything is looking good and thanks for working on this!
Hey @t-will-gillis, thanks for the feedback.
Do you mean the entire job, or just get membership API call? I'm not sure if I see much re-usability in the script here, beyond discretizing the API calls themselves which wouldn't make much sense. Can you expand on this a little? |
Hey @ajb176
|
|
Hey @t-will-gillis I have a working version of this that has a utility function that checks membership, a script that calls that utility function and completes the action, and a yml file that calls that script. That being said, I think something closer to the version here is better. The biggest concern here is the pull_request_trigger. It's a pretty invasive trigger that works within the base of the pull request and has access to repository secrets. If I want to call a script I have to use actions/checkout, which creates a context in which an attacker could potentially have access to all repository files, and access to all repository secrets. Using checkout makes it possible to hide some malicious code abstracted away through several different modules. Considering this is easily avoided by modifying only the yml file and keeping everything it does in plain sight, I think it's a better idea to not use checkout in the pull_request_target unless absolutely necessary. Any code run within the context of pull_request_target will have to be very carefully examined before even checking out the branch for testing, and it will be easier to do that if it's fully contained in a yml file with no access to any other files/scripts. Using checkout also adds another dependency and will take a little longer to run I'd suggest keeping the yml file as is (after making the syntax for the API calls uniform), but I can add the utility function from the other branch that checks membership in case it would be useful for other actions. I can make a draft PR with the other implementation if you'd like to take a look and test the utility function. |
@ajb176 Thank you for bringing up the topic about the potential security risks of using I tested the current code, and a non-hfla user was able to post a PR still. (This could be because the non-member returns a “RequestError” and not a “VerificationError”?) I hear what you are saying about not making things more complicated than needed. I would argue however that this workflow is more complicated than it needs to be. As written currently, this workflow is doing three things in a single step (checking membership; if not a member, then closing the PR; if closing the PR, then commenting on the PR). Please see Hack for LA’s GitHub Actions HfLA’s workflows follow a patten of an event triggering a yaml file in Please move the full script to the js file. This workflow can be written in an easy to follow pattern similar to Therefore please:
Thanks |
Fixes #3906
What changes did you make?
Why did you make the changes (we will use this info to test)?
Instructions for Reviewers:
- 'verify-pr-creator-3906'
on line 7 aligned with and under the 'gh-pages' branchMake sure to push the necessary changes to the verify-pr-creator branch before using checkout to create the testcase branches. The testcase branches should be one commit past the verify-pr branch to avoid headaches when trying to merge the testcase branch into the base branch. If you'd rather not mess with the original branch, you can also checkout a new branch immediately after pulling the verify-pr-creator-3906 branch, and follow the instructions while using the new branch name in steps 1, 4, 6, 7 and 9.