Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor amalgamation workflow to avoid dangerous use of pull_request_target #3969

Merged
merged 2 commits into from
Mar 8, 2023
Merged

Conversation

joycebrum
Copy link
Contributor

@joycebrum joycebrum commented Mar 7, 2023

Closes #3945

I've followed the approach recommended by Github Security Lab - Preventing pwn requests. This way the pull_request workflow won't have any write privilege that could be exploit.

I have tested the new workflow to add the comment in case of failure in the amalgamation workflow here https://github.com/joycebrum/json/pull/3, and it worked fine.

Pull request checklist

Read the Contribution Guidelines for detailed information.

  • Changes are described in the pull request, or an existing issue is referenced.
  • The test suite compiles and runs without error.
  • Code coverage is 100%. Test cases can be added by editing the test suite.
  • The source code is amalgamated; that is, after making changes to the sources in the include/nlohmann directory, run make amalgamate to create the single-header files single_include/nlohmann/json.hpp and single_include/nlohmann/json_fwd.hpp. The whole process is described here.

Please don't

  • The C++11 support varies between different compilers and versions. Please note the list of supported compilers. Some compilers like GCC 4.7 (and earlier), Clang 3.3 (and earlier), or Microsoft Visual Studio 13.0 and earlier are known not to work due to missing or incomplete C++11 support. Please refrain from proposing changes that work around these compiler's limitations with #ifdefs or other means.
  • Specifically, I am aware of compilation problems with Microsoft Visual Studio (there even is an issue label for this kind of bug). I understand that even in 2016, complete C++11 support isn't there yet. But please also understand that I do not want to drop features or uglify the code just to make Microsoft's sub-standard compiler happy. The past has shown that there are ways to express the functionality such that the code compiles with the most recent MSVC - unfortunately, this is not the main objective of the project.
  • Please refrain from proposing changes that would break JSON conformance. If you propose a conformant extension of JSON to be supported by the library, please motivate this extension.
  • Please do not open pull requests that address multiple issues.

Signed-off-by: Joyce Brum <joycebrum@google.com>
Signed-off-by: Joyce Brum <joycebrum@google.com>
@coveralls
Copy link

coveralls commented Mar 7, 2023

Coverage Status

Coverage: 100.0%. Remained the same when pulling 9380ab0 on joycebrum:develop into b504dca on nlohmann:develop.

Copy link
Owner

@nlohmann nlohmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@nlohmann nlohmann added this to the Release 3.11.3 milestone Mar 8, 2023
@nlohmann
Copy link
Owner

nlohmann commented Mar 8, 2023

Thanks a lot! I will merge once the CI runs through.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Dangerous use of pull_request_target
3 participants