Skip to content

Do not checkout the fork's branch upon history comparison#23

Merged
mbaruh merged 2 commits into
mainfrom
do-not-checkout-fork
Aug 23, 2023
Merged

Do not checkout the fork's branch upon history comparison#23
mbaruh merged 2 commits into
mainfrom
do-not-checkout-fork

Conversation

@shtlrs
Copy link
Copy Markdown
Contributor

@shtlrs shtlrs commented Aug 18, 2023

Reasoning

Generally, when using the pull_request event as trigger for our CI, it uses the fork's CI context, allowing malicious users to tamper with CI.

We are switching to using pull_request_target as event, which ensures that CI is executed with our repo's context.

The main condition to using this is to not checkout nor execute the fork's code.

Solution

The approach was to add the fork as remote, but we only make a fetch operation instead of a checkout one, ensuring that we only have our code checked out.

@shtlrs
Do not checkout the fork's branch
90da58a 
This is the layer step for using the pull_request_target event as trigger

The purpose is to not allow anyone to tamper with our CI, so we need to be in our repo's context
@shtlrs shtlrs force-pushed the do-not-checkout-fork branch 4 times, most recently from 8e7f15c to 7936659 Compare August 22, 2023 22:24
@shtlrs
use git's --grep option
9904284 
This also adds colored logs to make sure people's attention is redirected to the error easily
@shtlrs shtlrs force-pushed the do-not-checkout-fork branch from 7936659 to 9904284 Compare August 22, 2023 22:24
@mbaruh mbaruh merged commit 73a8099 into main Aug 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChrisLovering ChrisLovering ChrisLovering approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shtlrs @ChrisLovering @mbaruh