chore: Fixing non-propagated custom GH token in forked PRs #134
Conversation
heyvister1
force-pushed
the
fix-non-propagated-gh-token
branch
from
6c986c3
to
c911071
Compare
heyvister1
changed the title
heyvister1
changed the title
A new step has been added to verify that actor is a member of Mellanox/cloud-orchestration team
heyvister1
force-pushed
the
fix-non-propagated-gh-token
branch
from
c911071
to
859e91e
Compare
|
What happens if some one creates a PR to this action with a script to exfiltrate the token before the check runs? |
He needs to gain GH_TOKEN first, but he should be blocked on the first step which checks his membership |
| response=$(curl -H "Authorization: Bearer $GH_TOKEN" \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| "https://api.github.com/orgs/Mellanox/teams/cloud-orchestration/members/$ACTOR") | ||
|
|
||
| if [[ $(echo "$response" | jq -r '.message') == "Not Found" ]]; then |
There was a problem hiding this comment.
Does the GH API return an appropriate status code (404?) if the actor is not part of the organization?
If so, this could be shortened to if curl -f ... ; then?
What if I create an MR which changes that first step? |
So this is not only related to my PR change, if anyone can create its own workflow file which will be engaged in PR then we're in a bad shape. |
The current trigger configuration doesn't trigger on PRs, so shouldn't this not be a problem? And either way - we can configure the repository (Settings -> Actions -> General -> Approval for running fork pull request workflows from contributors to Require approval for all external contributors. |
Since custom GH secrets are not propagated for forked PRs
A new step has been added to verify that actor is a member of Mellanox/cloud-orchestration team