[openstreetmap/openstreetmap-website] Danger isn't working in CI (Issue #5267)
mmd
notifications at github.com
Tue Oct 22 11:31:25 UTC 2024
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ might be interesting. It describes a set up, where untrusted code is processed by an `on: pull_request` step (which has access to the pull request). In this step we could run danger, similar to what chef/chef is doing as mentioned above. The results on this analysis run can then be checked in as artifact, and another trusted CI step can then be used to download the artifact and update the Pull request labels. This second step is leveraging `on: pull_request_target:`.
I think the overall aproach might in fact work. At least the first step to run danger with `on: pull_request` should be able to successfully analyse the untrusted code in the pull request.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429030319
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/openstreetmap-website/issues/5267/2429030319 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20241022/de6f0d89/attachment.htm>
More information about the rails-dev
mailing list