crertel
commented
1 week ago Question: is this something that could be exploited to mine bitcoins or something, or will CI runs need manual approval?
Closed thilobillerbeck closed 1 week ago
crertel
commented
1 week ago Question: is this something that could be exploited to mine bitcoins or something, or will CI runs need manual approval?
thilobillerbeck
commented
1 week ago First of all the runners the builds run on aren't ours anyway. Since we are an open source project, we fall under terms and pricing which allows us to use GitHub Actions for free.
Secondly as of my understanding, the current setup would allow for that, the change would run the CI script that is in the branch that should be merged to not in the branch merged from. This is also why GitHub Actions doesn't deploy PRs for staging that are not from our repo, since with a malicious script the secret would be extracted. It's in that regard more of a safeguard than before.
thilobillerbeck
commented
1 week ago Approval is currently set to be manually required for any external contribution. Though this PR is for what happens after approval.
crertel
commented
1 week ago Awesome, thank you for the explanation!: :)
Changing the deploy trigger to
pull_request_targetto allow the CI to use our secrets for deployments regarding PRs from forks, making PR checks quicker and less error prone over time.See here for details: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target