nlohmann / json

JSON for Modern C++
https://json.nlohmann.me
MIT License
42.97k stars 6.72k forks source link

Refactor amalgamation workflow to avoid dangerous use of pull_request_target #3969

Closed joycebrum closed 1 year ago

joycebrum commented 1 year ago

Closes #3945

I've followed the approach recommended by Github Security Lab - Preventing pwn requests. This way the pull_request workflow won't have any write privilege that could be exploit.

I have tested the new workflow to add the comment in case of failure in the amalgamation workflow here https://github.com/joycebrum/json/pull/3, and it worked fine.

Pull request checklist

Read the Contribution Guidelines for detailed information.

Please don't

coveralls commented 1 year ago

Coverage Status

Coverage: 100.0%. Remained the same when pulling 9380ab096ed8a9161749bc5b277bc8b9e92953ae on joycebrum:develop into b504dca35a6aac16c4596441a78024737bcc95c0 on nlohmann:develop.

nlohmann commented 1 year ago

Thanks a lot! I will merge once the CI runs through.