External services like Netlify, Snyk, and FOSSA have secrets like API keys and other environment variables to run. PRs that come from external forks could potentially have malicious code intended to read these secrets, thus have an approval step necessary to run these services.
Make sure we document why this is, and how project leads have the responsibility to check for malicious code before approving these jobs to run.
External services like Netlify, Snyk, and FOSSA have secrets like API keys and other environment variables to run. PRs that come from external forks could potentially have malicious code intended to read these secrets, thus have an approval step necessary to run these services.
Make sure we document why this is, and how project leads have the responsibility to check for malicious code before approving these jobs to run.