Skip to content

🗝️ #1172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 4, 2025
Merged

🗝️ #1172

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions .github/workflows/bazel-steward.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ name: Bazel Steward 🤵
# https://github.com/peter-evans/create-pull-request

permissions:
contents: write
pull-requests: write
contents: write # OK!
# See https://github.com/VirtusLab/bazel-steward/issues/420:
# NOK: pull-requests: write
Comment on lines +22 to +24
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This change removes the pull-requests: write permission. Can you elaborate on the security implications and why this permission is no longer needed?


# https://virtuslab.github.io/bazel-steward/docs/installation.html

Expand All @@ -32,6 +33,11 @@ on:
jobs:
bazel-steward:
runs-on: ubuntu-latest
# https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md
# #restrictions-on-repository-forks
# https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
# if: github.event.pull_request.head.repo.full_name == github.repository
if: github.repository == 'enola-dev/enola' # Don't do this in forks
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This condition prevents the workflow from running on forks. While this is a valid approach, consider using github.event.pull_request.head.repo.full_name == github.repository for a more robust solution that automatically adapts to repository name changes. This would avoid hardcoding the repository name.

if: github.event.pull_request.head.repo.full_name == github.repository

steps:
- uses: actions/checkout@v4
with:
Expand All @@ -40,5 +46,5 @@ jobs:
# NB: Cannot use hash instead of version here due to
# https://github.com/VirtusLab/bazel-steward/issues/414.
with:
# github-personal-token: 'TODO'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The TODO comment has been removed and replaced with a secret. Ensure that the BAZEL_STEWARD secret is properly configured in the repository settings.

github-personal-token: ${{ secrets.BAZEL_STEWARD }}
additional-args: "--update-all-prs"
Loading