-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
frogbot-scan-pr with on "pull_request" instead of "pull_request_target" does not find frogbot-config.yml #374
Comments
Hello @philipp-rauch-se , Thank you for bringing this bug to our attention. We appreciate your usage of Frogbot. Regarding the expected behavior, our intended approach is to search for the config file in the target branch. If it is not found there, the fallback option is to search in the source branch. Thank you for helping us improve Frogbot! Best regards, |
I wanted to inform you that a new version has been released, addressing the issue you encountered. We would greatly appreciate your feedback on whether the latest version resolved your problem. |
Hi @EyalDelarea, works like a charm. Thanks for the quick fix 👍 |
We are also facing the same issue. Currently, pull_request is not finding the configuration file in the source repository. It only takes the file if the event type is pull_request_target and the configuration file is in the target repository. |
@AdityaHitachi, |
|
Currently, I have a configuration file in the source branch within the
I am running scan using event type |
Thanks @AdityaHitachi. |
No, I have a configuration file in the source repository. Frogbot should pick up that file from the source repository instead of the target. In our case, the target branch is a protected one, as is often the case in many projects, making it impractical to push the file with different work directories each time. Now I am a bit confused about Frogbot's behavior. |
@AdityaHitachi, |
But this pull request #378 mentions that if the file is not found in the target repository, it will search for it in the source repository. It states that this bug has already been fixed. |
I believe this functionality is no longer available due to the above security concern @AdityaHitachi. |
Could you please provide any proof, such as a pull request or documentation, that demonstrates that this functionality no longer exists? |
Describe the bug
we are executing frogbot-scan-pr with on "pull_request" instead of "pull_request_target" in our private repos using a reusable workflow.
When using "pull_request" it does not find frogbot-config.yml and therefore scan does not work.
When using "pull_request_target" it finds frogbot-config.yml and therefore scan works.
Current behavior
22:57:08 [Info] Frogbot version: 2.9.0
22:57:08 [Debug] Downloading frogbot-config.yml from target xxx / xxx
22:57:08 [Debug] the frogbot-config.yml will be downloaded from the xxx branch
22:57:08 [Debug] the .frogbot/frogbot-config.yml file wasn't recognized in the xxx repository owned by xxx
Reproduction steps
change on "pull_request_target" to "pull_request" in frogbot-scan-pr.yml and run scan on PR
Expected behavior
frogbot should find frogbot-config.yml and work properly with on "pull_request" too
JFrog Frogbot version
2.9.0
Package manager info
does not matter; package.json
Git provider
GitHub
JFrog Frogbot configuration yaml file
No response
Operating system type and version
Linux
JFrog Xray version
3.52.4
The text was updated successfully, but these errors were encountered: