Current workflow is broken and not checking out the expected code (i.e. it is checking out target branch as opposed to PR and not reflecting changes made). This is due to the default behavior of pull_request_target. While it is possible to checkout the PR code, this creates a security vulnerability since untrusted code will be run automatically without being sanitized. This PR will split off the part of the workflow that requires access to secrets (i.e. coverage reporting) from the part that runs the tests and uses pull_request which has the expected behavior of checking out the merge commit. Thus only sanitized output (i.e. the coverprofile) from community PR's will enter the privileged workflow.
We also edit the cron job frequency to reset the email notifications and stop the ghost action jobs.
Note: CI is failing due to a timeout that this PR addresses.
Current workflow is broken and not checking out the expected code (i.e. it is checking out target branch as opposed to PR and not reflecting changes made). This is due to the default behavior of
pull_request_target. While it is possible to checkout the PR code, this creates a security vulnerability since untrusted code will be run automatically without being sanitized. This PR will split off the part of the workflow that requires access to secrets (i.e. coverage reporting) from the part that runs the tests and usespull_requestwhich has the expected behavior of checking out the merge commit. Thus only sanitized output (i.e. the coverprofile) from community PR's will enter the privileged workflow.We also edit the cron job frequency to reset the email notifications and stop the ghost action jobs.
Note: CI is failing due to a timeout that this PR addresses.