Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ci): dependabot PRs fixes #117

Merged
merged 1 commit into from
Mar 15, 2021
Merged

fix(ci): dependabot PRs fixes #117

merged 1 commit into from
Mar 15, 2021

Conversation

jasperroel
Copy link
Contributor

Description

  • Dependabot checks for this repository need access to secrets in order to be tested. Recent changes at Github prevents "normal" PRs from Dependabot to be tested (since they now get a read-only Github token and no secrets).
  • This PR changes that allowing Dependabot PRs to run in a "trusted" environment again via pull_request_target.

See https://securitylab.github.com/research/github-actions-preventing-pwn-requests
See https://github.blog/changelog/2021-02-19-github-actions-workflows-triggered-by-dependabot-prs-will-run-with-read-only-permissions/
See dependabot/dependabot-core#3253

Reviewer Testing

The following steps are required for testing and verifying.

  • Wait for a dependabot[bot] PR and hope it succeeds
  • Create a "user" PR (like this one) and see that that the Checks run as normal

Relevant Tickets (Please add closes, refs, etc)

@jasperroel jasperroel requested a review from a team as a code owner March 15, 2021 10:36
@jasperroel jasperroel requested review from prescottprue and mathieudi and removed request for a team March 15, 2021 10:36
prescottprue
prescottprue reviewed Mar 15, 2021
View reviewed changes
.github/workflows/verify-dependabot.yml
on:
pull_request_target:
branches:
- master
Copy link
Contributor

@prescottprue prescottprue Mar 15, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed that both this and pantry still use master as the default branch - nice work matching the config to the repo 👏

@hershmire hershmire merged commit 37217bf into master Mar 15, 2021
@hershmire hershmire deleted the fix/dependabot branch March 15, 2021 20:08
@dependabot dependabot bot mentioned this pull request Mar 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prescottprue prescottprue prescottprue approved these changes

@hershmire hershmire hershmire approved these changes

@mathieudi mathieudi Awaiting requested review from mathieudi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jasperroel @hershmire @prescottprue