-
Notifications
You must be signed in to change notification settings - Fork 274
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding gitspiegel-trigger workflow #781
Conversation
Using a workflow to trigger mirroring instead of a webhook allows us to reuse "Approving workflow runs from public forks" GitHub feature to somewhat protect us from malicious PRs
UPD: The first attept to use a workflow to protect GitLab CI from untrusted contributors failed, because GitHub doesn't pass secrets to workflows for PRs that originate from forks. This uses a different approach: instead of triggerring gitspiegel API directly from the workflow, we're just spawning an empty workflow with a specific path, and gitspiegel listens for workflow_run event to start mirroring. The idea is the same: for the first-time contributors, running workflows would require manual aciton and that would block mirroring. But this time, we don't need any secrets to make it work. |
BENCHMARKS
|
I am not sure we need tgis for wasmi since I configured CI jobs to require an OK from repo admins before running for external contributor PRs. |
The clippy warnings are not related to this PR. So we are good to go if this PR fixes the underlying issue. |
@Robbepop I don't have necessary permissions to do that, could you merge it please? |
Codecov Report
@@ Coverage Diff @@
## master #781 +/- ##
==========================================
+ Coverage 81.13% 81.15% +0.01%
==========================================
Files 270 270
Lines 23217 23217
==========================================
+ Hits 18838 18841 +3
+ Misses 4379 4376 -3 see 2 files with indirect coverage changes 📣 Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in Chrome or Firefox today! |
Using a workflow to trigger mirroring instead of a webhook allows us to reuse "Approving workflow runs from public forks" GitHub feature to somewhat protect us from malicious PRs