projects / systemd / .git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 45ab6f2) | patch
ci: Fix Development Freeze Automation
authorJan Macku <jamacku@redhat.com>
Fri, 3 Feb 2023 09:25:51 +0000 (10:25 +0100)
committerLuca Boccassi <luca.boccassi@gmail.com>
Fri, 3 Feb 2023 14:03:39 +0000 (14:03 +0000)
commit4dab1eb952d48d32f5c604005247e7ac1f4fdda2
tree6d690fe6009547f1158737758493b7d457887d2dtree | snapshot
parent45ab6f2a374d251090857b33001c760da6b09208commit | diff
ci: Fix Development Freeze Automation

Due to the limitation of `GITHUB_TOKEN` when running workflows from forks,
it's required to split the `development_freeze` workflow in two.

* First workflow will run on the `pull_request` trigger and save the PR
number in the artifact. This workflow is running with read-only permissions
on `GITHUB_TOKEN`.
* Second workflow will get triggered on `workflow_run`. It will be run
directly in the `systemd/systemd` context and can get permission to be
able to create comments on PR.

GITHUB_TOKEN limitations:

* https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

GitHub Security Labs Article - How to correctly and safely overcome GITHUB_TOKEN limitations:

* https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
.github/workflows/development_freeze.yml diff | blob | history
.github/workflows/gather-pr-metadata.yml [new file with mode: 0644] blob
https://github.com/systemd/systemd.git