You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Does the current implementation use the SHA-1 head to check whether a merge of a Pull Request is good? https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button Describes that you can add a SHA-1 to the merge API call, which causes GitHub to check whether the SHA-1 and the current head of that Pull Request match.
This would be useful for security reasons in our application. We're building a review-tool-bot that merges Pull Requests for us after we signal (via a comment) that the Pull Request is OK to merge. Now, a malicious person could theoretically introduce a new commit to their Pull Request branch, while the Request to merge is still on the way (either from the GitHub comment webhook to the bot, or from the bot to the GitHub API). If the SHA-1 doesn't match, the merge should be denied by GitHub.
The text was updated successfully, but these errors were encountered:
Does the current implementation use the SHA-1 head to check whether a merge of a Pull Request is good? https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button Describes that you can add a SHA-1 to the merge API call, which causes GitHub to check whether the SHA-1 and the current head of that Pull Request match.
This would be useful for security reasons in our application. We're building a review-tool-bot that merges Pull Requests for us after we signal (via a comment) that the Pull Request is OK to merge. Now, a malicious person could theoretically introduce a new commit to their Pull Request branch, while the Request to merge is still on the way (either from the GitHub comment webhook to the bot, or from the bot to the GitHub API). If the SHA-1 doesn't match, the merge should be denied by GitHub.
The text was updated successfully, but these errors were encountered: