Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Include action execution for PR code #21

Closed
wants to merge 2 commits into from
Closed

🌱 Include action execution for PR code #21

wants to merge 2 commits into from

Conversation

Adirio
Copy link
Contributor

@Adirio Adirio commented Nov 19, 2020
edited
Loading

☢️💀⚠️ Security Concerns ⚠️💀☢️

This GitHub Action has access to a GitHub token with Read and (more importantly) Write privileges to this repo. The use of this token within the master branch (current usage) can be controlled. However, usage in the PR branch (added in this PR) can be modified and the token could be leaked. A solution for this issue needs to be developed if the behavior introduced in this PR is desired.

Description

Aside from executing the live action from master, this PR includes a second job that executes the action from the PR branch.

Motivation

Currently, changes introduced by PR can only be tested after being merged into master. Adding this job allows to execute the action before merging so that its behavior can be reviewed before merging.

PoC

This PR has been merged in my ownh fork to showcase how it works. A dummy PR has been created to show both jobs.
P.S.: the action themselves are still broken (see #17, and #19) and will always success, so the outcome of the jobs is not relevant.
P.S.2: the PR content is just a trivial README.md file update, it is not relevant either.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 19, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Adirio
To complete the pull request process, please assign droot after the PR has been reviewed.
You can assign the PR to them by writing /assign @droot in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 19, 2020
@Adirio Adirio changed the title 🌱 Include action execution for PR code WIP 🌱 Include action execution for PR code Nov 19, 2020
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 19, 2020
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 19, 2020
@Adirio Adirio changed the title WIP 🌱 Include action execution for PR code 🌱 Include action execution for PR code Nov 19, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 19, 2020
@Adirio Adirio mentioned this pull request Nov 19, 2020
Merged
@DirectXMan12
Copy link
Contributor

So, there's a reason that we don't use this -- that GitHub token gives read-write access to the repository, which means that someone could do nefarious things just by submitting a PR if we run against the PR, so I don't think it's a good idea to merge this.

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 19, 2020
@Adirio
Improve debugging output from the action execution
d573ec9 
Signed-off-by: Adrian Orive <adrian.orive.oneca@gmail.com>
@Adirio Adirio mentioned this pull request Nov 20, 2020
Merged
@Adirio
Include action execution for PR code so that we can verify it works b…
aed728b 
…efore merging into master

Signed-off-by: Adrian Orive <adrian.orive.oneca@gmail.com>
@Adirio
Copy link
Contributor Author

Adirio commented Nov 20, 2020

Included a "Security Concern" alert at the top of this PR, and closing for now until a solution is provided.

@Adirio Adirio closed this Nov 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DirectXMan12 DirectXMan12 Awaiting requested review from DirectXMan12

@droot droot Awaiting requested review from droot

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Adirio @k8s-ci-robot @DirectXMan12