GrantBirki
commented
3 weeks ago 👋 Hey @lawrencegripper! Here are some of the answers to which you seek
Is it possible, for example, to edit the privileged-requester.yaml file in the PR where I make my changes so that it includes my user as a privileged requestor?
The method that fetches the privileged-requester config looks at the main branch by default.
In a similar issue to the one @nobe4 mentioned 👇 , could I set commitVerification to false in the branch to allow impersonation and then push as the bot user with unsigned commits?
I do believe that this would be possible due to the nature in which Actions works. Perhaps a safer option would be to include it in the config that lives on the main branch and inform the Action to always read from there rather than from its own config that can be altered on PRs?
lawrencegripper
Sorry if there is a mitigation in here I've missed, wanted to validate if this was possible.
Is it possible, for example, to edit the privileged-requester.yaml file in the PR where I make my changes so that it includes my user as a privileged requestor?
In a similar issue to the one @nobe4 mentioned :point_down: , could I set
commitVerificationto false in the branch to allow impersonation and then push as the bot user with unsigned commits?I think these would be mitigated by reading the configuration from the default branch rather than from the PR branch but I'm not sure how to work that with