github/workflows/cla-check: enable comments by running in the context of the base repository #13578
Conversation
… of the base repository Enable running the action in the context of the base repository, see: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target so that write permissions are set and comments can be posted to the PR. Signed-off-by: Maciej Borzecki <maciej.borzecki@canonical.com>
| # Only run on pull requests: not pushes | ||
| pull_request: | ||
| # Only run when a pull request get opened; run in the context of the base | ||
| # repository, not the fork so that comments can be posted |
There was a problem hiding this comment.
From the linked page
Warning: For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" on the GitHub Security Lab website.
I think this is quite dangerous. What are you trying to fix that is broken today?
There was a problem hiding this comment.
from the same page:
This event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. This prevents execution of unsafe code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow. This event allows your workflow to do things like label or comment on pull requests from forks. Avoid using this event if you need to build or run code from the pull request.
What does not work, is the check cannot automatically add comment whenever the CLA needs to be signed.
There was a problem hiding this comment.
I see, let me read the docs some more.
|
Failures do not relate to change. Force merging. |
Enable running the action in the context of the base repository, see: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target so that write permissions are set and comments can be posted to the PR.
Also see https://github.com/canonical/has-signed-canonical-cla?tab=readme-ov-file#has-signed-canonical-cla