Skip to content

Require approval to run actions for fork pull request #22803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Feb 24, 2023
Merged

Require approval to run actions for fork pull request #22803

merged 19 commits into from
Feb 24, 2023

Conversation

wolfogre
Copy link
Member

@wolfogre wolfogre commented Feb 7, 2023
edited
Loading

Currently, Gitea will run actions automatically which are triggered by fork pull request. It's a security risk, people can create a PR and modify the workflow yamls to execute a malicious script.

So we should require approval for first-time contributors, which is the default strategy of a public repo on GitHub, see Approving workflow runs from public forks.

Current strategy:

  • don't need approval if it's not a fork PR;
  • always need approval if the user is restricted;
  • don't need approval if the user can write;
  • don't need approval if the user has been approved before;
  • otherwise, need approval.
2023-02-07.17.34.08.mov

GitHub has an option for that, you can see that at /<owner>/<repo>/settings/actions, and we can support that later.

image

@wolfogre wolfogre added type/enhancement An improvement of existing functionality topic/gitea-actions related to the actions of Gitea labels Feb 7, 2023
@wolfogre wolfogre added this to the 1.19.0 milestone Feb 7, 2023
@wolfogre wolfogre changed the title Require approval for fork pull request Require approval to run actions for fork pull request Feb 7, 2023
@delvh delvh added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! and removed topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Feb 7, 2023
@techknowlogick techknowlogick modified the milestones: 1.19.0, 1.20.0 Feb 7, 2023
lunny
lunny reviewed Feb 16, 2023
View reviewed changes
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 16, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 16, 2023
@lunny lunny modified the milestones: 1.20.0, 1.19.0 Feb 16, 2023
@lunny lunny requested review from delvh and zeripath February 17, 2023 14:28
@lunny lunny requested a review from jolheiser February 17, 2023 14:28
@yardenshoham yardenshoham modified the milestones: 1.19.0, 1.20.0 Feb 22, 2023
@yardenshoham yardenshoham added the outdated/backport/v1.19 This PR should be backported to Gitea 1.19 label Feb 22, 2023
@lunny lunny removed the outdated/backport/v1.19 This PR should be backported to Gitea 1.19 label Feb 23, 2023
@lunny
Copy link
Member

lunny commented Feb 23, 2023

@yardenshoham This PR has one migration so that it cannot be backport to old version.

yardenshoham
yardenshoham reviewed Feb 23, 2023
View reviewed changes
@delvh
Copy link
Member

delvh commented Feb 23, 2023

On the other hand, what we could also do is merge #23078, and then backport it.

@lunny
Copy link
Member

lunny commented Feb 23, 2023

On the other hand, what we could also do is merge #23078, and then backport it.

That PR is not ready, we should be careful and need more discuss on that side.

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 24, 2023
@lunny lunny added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 24, 2023
@lunny lunny merged commit edf98a2 into go-gitea:main Feb 24, 2023
@lunny lunny removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 24, 2023
zjjhot added a commit to zjjhot/gitea that referenced this pull request Feb 24, 2023
@zjjhot
Merge remote-tracking branch 'giteaoffical/main'
02f7298 
* giteaoffical/main:
  Fix db.Find bug (go-gitea#23115)
  Avoid warning for system setting when start up (go-gitea#23054)
  Require approval to run actions for fork pull request (go-gitea#22803)
  Fix nil context in RenderMarkdownToHtml (go-gitea#23092)
  Add HesterG to maintainers (go-gitea#23104)
  improve FindProjects (go-gitea#23085)
@wolfogre wolfogre mentioned this pull request Mar 31, 2023
Merged
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@delvh delvh Awaiting requested review from delvh

@zeripath zeripath Awaiting requested review from zeripath

@jolheiser jolheiser Awaiting requested review from jolheiser

+2 more reviewers

@yardenshoham yardenshoham yardenshoham left review comments

@Zettat123 Zettat123 Zettat123 approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/gitea-actions related to the actions of Gitea type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
1.20.0
Development

Successfully merging this pull request may close these issues.
7 participants
@wolfogre @lunny @delvh @Zettat123 @yardenshoham @techknowlogick @GiteaBot