ci: Update comments for the settings workflow (#1476)

Since the introduction of `vars` to GitHub Actions, I started using that instead of the "environments" trick I used in Packager. However, it has become clear now that the `vars` strategy has major drawbacks, such as requiring the use of `pull_request_target`, which should only be used for actions that do not execute PR-author-controlled code. This updates the comments to clarify why this is used. This reusable settings workflow will also be deployed now in other repos to standardize on this "environments" mechanism, which is safer than `vars`.
shaka-project · Jan 17, 2025 · 89d59a3 · 89d59a3
1 parent 565fec5
commit 89d59a3
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/.github/workflows/settings.yaml b/.github/workflows/settings.yaml
@@ -6,9 +6,15 @@
 
 # A reusable workflow to extract settings from a repository.
 # To enable a setting, create a "GitHub Environment" with the same name.
-# This is a hack to enable per-repo settings that aren't copied to a fork.
-# Without this, test workflows for a fork would time out waiting for
-# self-hosted runners that the fork doesn't have.
+#
+# This enables per-repo settings that aren't copied to a fork.  This is better
+# than "vars" or "secrets", since those would require the use of
+# `pull_request_target` instead of `pull_request` triggers, which come with
+# additional risks such as the bypassing of "require approval" rules for
+# workflows.
+#
+# Without a setting for flags like "self_hosted", test workflows for a fork
+# would time out waiting for self-hosted runners that the fork doesn't have.
 name: Settings
 
 # Runs when called from another workflow.