Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ci] Fix apache/pulsar-test-infra/paths-filter action permission in CodeQL workflow #4361

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[ci] Fix apache/pulsar-test-infra/paths-filter action permission in CodeQL workflow #4361

wants to merge 1 commit into from

Conversation

yaalsn
Copy link
Contributor

@yaalsn yaalsn commented May 11, 2024

Motivation

The codeql workflow needs read pull-requests permission when use action apache/pulsar-test-infra/paths-filter@master
image

shoothzj
shoothzj reviewed May 11, 2024
View reviewed changes
Copy link
Member

@shoothzj shoothzj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please share the fail link, in my memory, CodeQL workflow always run well.

@hangc0276
Copy link
Contributor

Could you please share the fail link, in my memory, CodeQL workflow always run well.

@shoothzj We run the CI in our own repo and found the CodeQL doesn't have permission

@hangc0276 hangc0276 requested review from eolivelli and zymap May 11, 2024 10:16
@hangc0276 hangc0276 added this to the 4.18.0 milestone May 11, 2024
shoothzj
shoothzj previously requested changes May 11, 2024
View reviewed changes
Copy link
Member

@shoothzj shoothzj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, it's a little hard to maintaince this change, the community doesn't face this problem, at least we should have some CodeQL documentaion.
I see the original permissions is copied from https://github.com/github/codeql-action/blob/59c62518002b2015b741cd192d3b36bc7787efc7/README.md.

Or we can test it in a fork repo? I can help with this :)

@yaalsn
Copy link
Contributor Author

yaalsn commented May 11, 2024
edited

Hi @shoothzj , I think this workflow works well in public forked repo, but if it is a private repo, we need to declare the pull-requests permission because the following action needs to request github list PRs api using GITHUB_TOKEN. The workflow needs this permission and it wasn't added before, I just add it to fix the permission.

  - name: Detect changed files
    id: changes
    uses: apache/pulsar-test-infra/paths-filter@master
    with:
      filters: .github/changes-filter.yaml
      list-files: csv

image

@yaalsn yaalsn changed the title [ci] Fix CodeQL workflow permission [ci] Fix apache/pulsar-test-infra/paths-filter action permission in CodeQL workflow May 11, 2024
@yaalsn
Copy link
Contributor Author

yaalsn commented May 11, 2024
edited

I updated the title and commit msg, maybe it is more accurate.

@yaalsn yaalsn force-pushed the fix-codeql-workflow-permission branch from 8180925 to da48a22 Compare May 11, 2024 11:44
@eolivelli
Copy link
Contributor

Is this change exposing secrets to github users?

@yaalsn if you want to maintain a provate fork I think that you have already other changes that are no here in the public repo.
If this change add security risky for the community I suggest to push this change only to your repo

@shoothzj
Copy link
Member

@yaalsn Thanks for your explanation, I change my mind to +0, I won't block this PR. But it seems werid you still needs Approval to triggered from CI. You already have pr merged into repo.

@shoothzj shoothzj dismissed their stale review May 11, 2024 12:30

Thanks for your explanation, I change my mind to +0

@yaalsn
Copy link
Contributor Author

yaalsn commented May 12, 2024

Is this change exposing secrets to github users?
If this change add security risky for the community I suggest to push this change only to your repo

@eolivelli

No, it doesn't expose secret to anyone or add secrity risky, because the github action apache/pulsar-test-infra/paths-filter@master is reliable. Instead, it add the safety.

This is a github security setting. We should declare the workflow job permission, this makes the ones who forked repo know which permissions it uses instead of a black box. apache/bookkeeper just uses the default non-security strategy, this means the PRs github action can do anything using GITHUB_TOKEN after the PR is approved to run, but the reviewers don't know the action does clearly.

docs:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hangc0276 hangc0276 hangc0276 approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@shoothzj shoothzj shoothzj left review comments

@eolivelli eolivelli Awaiting requested review from eolivelli

@zymap zymap Awaiting requested review from zymap

Assignees

@yaalsn yaalsn

Labels
area/build
Projects
None yet
Milestone
4.18.0
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@yaalsn @hangc0276 @eolivelli @shoothzj @nicoloboschi