Closed foolip closed 4 years ago
This seems to work, https://github.com/whatwg/sg/runs/780908592 triggered https://github.com/whatwg/whatwg.org/runs/780910278 (as @whatbot)
So the risks here are that if peter-evans/repository-dispatch@v1 goes rogue the DISPATCH_TOKEN is compromised but that cannot really be used for much anyway?
An attacker would get write access to the whatwg/whatwg.org repo. From there they should be able to extract the deploy keys to marquee and SSH into it, at which point we'd be pretty thoroughly compromised.
That's a fair bit of trust to place in a nice-to-have wrapper. We could pin it to an exact commit, but reviewing changes to https://github.com/peter-evans/repository-dispatch/blob/v1/dist/index.js isn't going to be easy.
I'll try to craft the curl
command line for this instead.
OK, after some flailing about I got it to work, https://github.com/whatwg/sg/runs/781040423 triggered https://github.com/whatwg/whatwg.org/actions/runs/138597128. @annevk r?
FWIW, Azure Pipelines has something lighter-weight where no agent at all is required: https://docs.microsoft.com/en-us/azure/devops/pipelines/process/phases?view=azure-devops&tabs=yaml#server-jobs
But GitHub Actions does not, AFAICT.
Alright, this all seems to work: https://github.com/whatwg/whatwg.org/runs/781299300
I did accidentally rebase all the junk commits onto master, though. Disabled branch protection and force pushed to fix.
Fixes https://github.com/whatwg/sg/issues/110.