-
Notifications
You must be signed in to change notification settings - Fork 888
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ci] Fix apache/pulsar-test-infra/paths-filter action permission in CodeQL workflow #4361
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please share the fail link, in my memory, CodeQL workflow always run well.
@shoothzj We run the CI in our own repo and found the CodeQL doesn't have permission |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, it's a little hard to maintaince this change, the community doesn't face this problem, at least we should have some CodeQL documentaion.
I see the original permissions is copied from https://github.com/github/codeql-action/blob/59c62518002b2015b741cd192d3b36bc7787efc7/README.md.
Or we can test it in a fork repo? I can help with this :)
Hi @shoothzj , I think this workflow works well in public forked repo, but if it is a private repo, we need to declare the
|
I updated the title and commit msg, maybe it is more accurate. |
8180925
to
da48a22
Compare
Is this change exposing secrets to github users? @yaalsn if you want to maintain a provate fork I think that you have already other changes that are no here in the public repo. |
@yaalsn Thanks for your explanation, I change my mind to +0, I won't block this PR. But it seems werid you still needs Approval to triggered from CI. You already have pr merged into repo. |
Thanks for your explanation, I change my mind to +0
No, it doesn't expose secret to anyone or add secrity risky, because the github action This is a github security setting. We should declare the workflow job permission, this makes the ones who forked repo know which permissions it uses instead of a black box. docs: |
Motivation
The codeql workflow needs read pull-requests permission when use action
apache/pulsar-test-infra/paths-filter@master