Safely and easily support CI checks on PRs from repo forks #4124
Labels
dev
Issues related to development of the app.
github-actions
Pull requests that update GitHub Actions code
help-wanted
Extra attention is needed
question
Further information is requested
Comments
franknoirot
added
dev
|
I should also say that I'm totally fine with the outcome of this discussion being to add a note to our CONTRIBUTING.md docs saying due to constraints we only accept PRs from permission-granted contributors. |
|
Yes I think we need to whitelist thru github |
|
I certainly don't want it that any joe shmo who opens a pr we've never encountered before gets access to CI, which is why by default github does that, and I think that is great |
I totally support this, just don't want our seat count to explode. If there's a whitelist that doesn't add seats I'd love that. |
|
no we whitelist CI this is a github built in ci doesnt run today unless you approve the contributor |
|
they dont need to be in the org |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This PR with no code changes was failing many required CI checks, which lead us to find that our repository is not set up well to accept PRs from repository forks, which is a very common contribution pattern in open-source.
This issue shed some light on other discussions, and led to this article from the GitHub Security Lab. There is some guidance there that I am trying to digest and map onto our repository's needs.
I am definitely not the best person to reason about the security implications of our GH Actions nor about how to reconfigure them to support external fork PRs in a safe manner, I just want to kick off the discussion so we can align on a course of action. I believe setting this up now will pay dividends in the future.
The text was updated successfully, but these errors were encountered: