This PR adds some logic to the CI to determine if an external contribution triggers the CI. In such a case, the CI avoids using the external/add_label action which is not allowed in external contribution cases.
A deep research on the literature brings some information regarding possible security issues while using pull_request_target CI triggers. As long as we only use the pull_request trigger, there is no need to include manual confirmation from a Collaborator with required permissions, from now on.
NOTE: Adding the skip-ci label as long as the external contributions CI is tested from the following external PR:
5219
As part of the CI pipelines, this PR needs to be included also in the critical-security-fixes-only 2.6.x supported branch.
@Mergifyio backport 3.0.x 2.14.x 2.10.x 2.6.x
Contributor Checklist
[x] Commit messages follow the project guidelines.
[x] The code follows the style guidelines of this project.
N/A Tests that thoroughly check the new feature have been added/Regression tests checking the bug and its fix have been added; the added tests pass locally
N/A Any new/modified methods have been properly documented using Doxygen.
N/A Any new configuration API has an equivalent XML API (with the corresponding XSD extension)
N/A Changes are backport compatible: they do NOT break ABI nor change library core behavior.
N/A Changes are API compatible.
N/A New feature has been added to the versions.md file (if applicable).
N/A New feature has been documented/Current behavior is correctly described in the documentation.
[x] Applicable backports have been included in the description.
Reviewer Checklist
[x] The PR has a milestone assigned.
[x] The title and description correctly express the PR's purpose.
[x] Check contributor checklist is correct.
[x] If this is a critical bug fix, backports to the critical-only supported branches have been requested.
N/A Check CI results: changes do not issue any warning.
N/A Check CI results: failing tests are unrelated with the changes.
This is an automatic backport of pull request #5220 done by Mergify.
Description
This PR adds some logic to the CI to determine if an external contribution triggers the CI. In such a case, the CI avoids using the
external/add_label
action which is not allowed in external contribution cases.A deep research on the literature brings some information regarding possible security issues while using
pull_request_target
CI triggers. As long as we only use thepull_request
trigger, there is no need to include manual confirmation from a Collaborator with required permissions, from now on.NOTE: Adding the
skip-ci
label as long as the external contributions CI is tested from the following external PR:5219
As part of the CI pipelines, this PR needs to be included also in the critical-security-fixes-only 2.6.x supported branch.
@Mergifyio backport 3.0.x 2.14.x 2.10.x 2.6.x
Contributor Checklist
[x] Commit messages follow the project guidelines.
[x] The code follows the style guidelines of this project.
N/A Tests that thoroughly check the new feature have been added/Regression tests checking the bug and its fix have been added; the added tests pass locally
N/A Any new/modified methods have been properly documented using Doxygen.
N/A Any new configuration API has an equivalent XML API (with the corresponding XSD extension)
N/A Changes are backport compatible: they do NOT break ABI nor change library core behavior.
N/A Changes are API compatible.
N/A New feature has been added to the
versions.md
file (if applicable).N/A New feature has been documented/Current behavior is correctly described in the documentation.
[x] Applicable backports have been included in the description.
Reviewer Checklist
This is an automatic backport of pull request #5220 done by Mergify.