New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use fork method to have auto starting manifest PRs #4090
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using the mentioned method here: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork Why did we create a new bot instead of using wptfyibot? - It currently has write access to the repo. And generating a PAT for it is a security risk in case the third party peter-evans/create-pull-request action is compromised. It could then would have write access to this repository. - A future optimization: Once finer grain PATs are out of beta and someone tests it with peter-evans/create-pull-request, we might can consolidate back to using only wptfyibot. More about finer grain PATs can be found [here](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token#creating-a-fine-grained-personal-access-token) In a future commit, we will update resolve_merge_conflict.yml to use the v5 of the same action
Did not mean for this to auto merge. Forgot to label this with do not merge yet |
jcscottiii
added a commit
that referenced
this pull request
Apr 26, 2023
Moving to the least privileged model for creating the PR in #4090 brought a new problem: The forked PR is unable to be auto approved. This is because PR runs do not have access to GITHUB_TOKEN which is needed for the auto approver. GitHub tightened up their security model a few years ago to prevent this. Details in this [doc](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Also, in the doc shows the recommended implementation which this commit uses: - Use the required "Run Tests" workflow as the unprivileged run that runs when the PR is made. - Move the auto-approval to be triggered after the "Run Tests" workflow. This is privileged and has access to the GITHUB_TOKEN Examples using this same way: - https://github.com/MaibornWolff/codecharta/blob/main/.github/workflows/auto-approve-and-merge.yml Other changes: - Migrate to use hmarr/auto-approve-action@v3. Remove the explicit need for GITHUB_TOKEN in v3. - Name the test.yml workflow "Run tests"
jcscottiii
added a commit
that referenced
this pull request
Apr 26, 2023
Moving to the least privileged model for creating the PR in #4090 brought a new problem: The forked PR is unable to be auto approved. This is because PR runs do not have access to GITHUB_TOKEN which is needed for the auto approver. GitHub tightened up their security model a few years ago to prevent this. Details in this [doc](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Also, in the doc shows the recommended implementation which this commit uses: - Use the required "Run Tests" workflow as the unprivileged run that runs when the PR is made. - Move the auto-approval to be triggered after the "Run Tests" workflow. This is privileged and has access to the GITHUB_TOKEN Examples using this same way: - https://github.com/MaibornWolff/codecharta/blob/main/.github/workflows/auto-approve-and-merge.yml Other changes: - Migrate to use hmarr/auto-approve-action@v3. Remove the explicit need for GITHUB_TOKEN in v3. - Name the test.yml workflow "Run tests"
jcscottiii
added a commit
that referenced
this pull request
Apr 26, 2023
Moving to the least privileged model for creating the PR in #4090 brought a new problem: The forked PR is unable to be auto approved. This is because PR runs do not have access to GITHUB_TOKEN which is needed for the auto approver. GitHub tightened up their security model a few years ago to prevent this. Details in this [doc](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Also, in the doc shows the recommended implementation which this commit uses: - Use the required "test" workflow as the unprivileged run that runs when the PR is made. - Move the auto-approval to be triggered after the "Run Tests" workflow. This is privileged and has access to the GITHUB_TOKEN Examples using this same way: - https://github.com/MaibornWolff/codecharta/blob/main/.github/workflows/auto-approve-and-merge.yml Other changes: - Migrate to use hmarr/auto-approve-action@v3. Remove the explicit need for GITHUB_TOKEN in v3.
github-actions bot
pushed a commit
that referenced
this pull request
Apr 27, 2023
Moving to the least privileged model for creating the PR in #4090 brought a new problem: The forked PR is unable to be auto approved. This is because PR runs do not have access to GITHUB_TOKEN which is needed for the auto approver. GitHub tightened up their security model a few years ago to prevent this. Details in this [doc](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Also, in the doc shows the recommended implementation which this commit uses: - Use the required "test" workflow as the unprivileged run that runs when the PR is made. - Move the auto-approval to be triggered after the "Run Tests" workflow. This is privileged and has access to the GITHUB_TOKEN Examples using this same way: - https://github.com/MaibornWolff/codecharta/blob/main/.github/workflows/auto-approve-and-merge.yml Other changes: - Migrate to use hmarr/auto-approve-action@v3. Remove the explicit need for GITHUB_TOKEN in v3.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Using the mentioned method here: https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork
Why did we create a new bot instead of using wptfyibot?
In a future commit, we will update resolve_merge_conflict.yml to use the v5 of the same action
Fixes: #1444