TST: small change to csvs to test xml generation #54
Conversation
|
I don't think that specifying the ref in a workflow works for PRs originating from forks. I also think we have to merge this to see if I'm right |
| @@ -23,7 +23,6 @@ jobs: | |||
| - uses: actions/checkout@v4 | |||
| with: | |||
| fetch-depth: 0 | |||
| ref: ${{ github.head_ref }} | |||
There was a problem hiding this comment.
SInce this job triggers on pull_request_target and not pull_request, the default checkout would be the branch we are merging into. So if we are trying to merge into the master branch, we would just compare it with itself and post an empty diff.
I think what's happening is that it's trying to checkout the source branch from the target repo (I hope I'm using the right terminology) which doesn't exist. Maybe this would work?
ref: "${{ github.event.pull_request.head.ref }}"
repository: "${{ github.event.pull_request.head.repo.full_name }}"
where we explicitly define where the branch is coming from
| 0,QRIX,,,,,, | ||
| ,,MR1K1:BEND:RTD:US:1_RBV,TEMPERATURE,,,, |
There was a problem hiding this comment.
Unfortunately, I think we still have to merge this to test it. Was this change meant to just test the daff workflow or do you actually want to add it?
There was a problem hiding this comment.
This PR wasn't meant to test the daff workflow at all, it was meant to test the xml generation with some modified repository permissions / push-access-bypass settings.
I just got side-tracked by the big red ❌ from the daff workflow
|
A bit more reading revealed that the https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ Take 2: The comment workflow requires write permissions or |
tangkong
force-pushed
the
tst_xml_regen
branch
from
e13c4e2 to
e11e2f2
Compare
I didn't consider anything security wise when I wrote this, but could we make a secret github key that only has write permissions on pull requests? Alternatively we could follow the security lab paper and sotre the diff in an artifact in a pull-request workflow, and have another job trigger on workflow-run to make the comment. |
|
If we want to fully restrict access, I think the github approved way of posting a comment is through the rest API through We can scope out a fine-grained access token specifically allowed to post comments only |
|
I'm going to request that we focus on the daff workflow in a different PR, since it's distracting from the goal of this effort. The diff workflow is close (I think) |
|
To finish here, the last step is probably to undo the tiny csv change, right? |
|
The csv change was to test xml push generation on PR merge, so it's actually necessary here. The goal of this was to test if we could give this job permissions via deploy-key, rather than by just omitting branch protections This was poorly established / lost in the nerd snipe 😆 |
|
I'm going to merge so I can find out how I messed this one up and try again |
|
|
Previous PR is working and (presumably) checking out the repo with an ssh key. This aims to fully flex the xml-generation