You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
The way auto-release workflow is triggered, seems like anyone that opens a pull request with release-please in the branch name would be able to trigger a release.
double checking that the bot authored the pull request using github.actor == 'release-please' or github.event.pull_request.user.login == 'release-please'
Thanks for stopping by to let us know something could be better!
PLEASE READ: If you have a support contract with Google, please create an issue in the support console instead of filing on GitHub. This will ensure a timely response.
Is your feature request related to a problem? Please describe.
The way
auto-releaseworkflow is triggered, seems like anyone that opens a pull request withrelease-pleasein the branch name would be able to trigger a release.https://github.com/googleapis/google-http-java-client/blob/main/.github/workflows/auto-release.yaml#L22
Not sure if this is working as intended.
Describe the solution you'd like
I suggest we add a second layer of verification or "approval" to run the release workflow, such as:
github.actor == 'release-please'orgithub.event.pull_request.user.login == 'release-please'Describe alternatives you've considered
None.
Additional context
I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes.
The text was updated successfully, but these errors were encountered: