Build mmaps for comparison on PR branch. #949
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
update changelog, please. Add newline in the end of mmaps_pr_generate.yaml |
fritx
added a commit
to fritx/jsonmerge
that referenced
this pull request
Jan 22, 2024
https://github.com/marketplace/actions/git-auto-commit#use-in-forks-from-public-repositories stefanzweifel/git-auto-commit-action#211 https://github.com/orgs/community/discussions/26829#discussioncomment-3253580 winglang/wing#5115 pyiron/actions#44 UffizziCloud/preview-action#80 ASFHyP3/hyp3-isce2#179 tveastman/secateur#54 stm32-rs/stm32-rs#949 actions/gh-actions-cache#73
fritx
added a commit
to Jayin/jsonmerge
that referenced
this pull request
Jan 22, 2024
https://github.com/marketplace/actions/git-auto-commit#use-in-forks-from-public-repositories stefanzweifel/git-auto-commit-action#211 https://github.com/orgs/community/discussions/26829#discussioncomment-3253580 winglang/wing#5115 pyiron/actions#44 UffizziCloud/preview-action#80 ASFHyP3/hyp3-isce2#179 tveastman/secateur#54 stm32-rs/stm32-rs#949 actions/gh-actions-cache#73
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The GitHub Action which generates the mmap comparison link for pull requests currently applies the YAML patches from the PR branch using the SVDs and tooling from the master branch in order to avoid running the untrusted tooling code from the PR branch in a context where it has access to secrets. For more context see #919.
This replaces that workflow with a pair that implement the pattern described in GitHub's blog post on how to combine an untrusted build with privileged actions.
Unfortunately (as is typical of CI changes) I haven't been able to test the new workflows as that would require setting up a bunch of temporary repositories.
Since this switches from the
pull_request_targetevent topull_request, workflows may no longer run automatically for PRs submitted by first-time contributors. You should check the setting for when to run workflows for PRs from forks.The switch to the
pull_requestevent also means that the job to generate the mmaps will run on a commit generated by GitHub that merges the PR head branch into master, and that it won't run at all if there are merge conflicts. I think that's probably a good thing, but if you want, I think I can change it to run on the PR head commit.I would also recommend changing the default
GITHUB_TOKENpermissions to "Restricted". That will ensure that Actions jobs don't have write access to anything unless they request it specifically with thepermissonssetting in their YAML file. I've looked over the other workflows and I think all of the ones that need extra permissions already request them.