Open t-b opened 1 month ago
For our CI, GH actions, we use the pull_request workflow 1 mode. This creates a merge commit against the base branch to run the CI against. This means that the git revision of that CI run is not the HEAD of the branch PR but a transient revision.
pull_request
The alternative pull_request_target 2 has various warnings attached to keep CI secure. So this looks fragile see https://securitylab.github.com/research/github-actions-preventing-pwn-requests.
pull_request_target
Instead we could use push with branches-ignore, see https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-workflow-only-when-a-push-to-specific-branches-occurs.
push
branches-ignore
We should use push with branch ignore.
t-b
commented
1 month ago
For our CI, GH actions, we use the
pull_requestworkflow 1 mode. This creates a merge commit against the base branch to run the CI against. This means that the git revision of that CI run is not the HEAD of the branch PR but a transient revision.The alternative
pull_request_target2 has various warnings attached to keep CI secure. So this looks fragile see https://securitylab.github.com/research/github-actions-preventing-pwn-requests.Instead we could use
pushwithbranches-ignore, see https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-your-workflow-only-when-a-push-to-specific-branches-occurs.