-
Notifications
You must be signed in to change notification settings - Fork 726
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merging with SHA1 #176
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Does the current implementation use the SHA-1 head to check whether a merge of a Pull Request is good? https://developer.github.com/v3/pulls/#merge-a-pull-request-merge-button Describes that you can add a SHA-1 to the merge API call, which causes GitHub to check whether the SHA-1 and the current head of that Pull Request match.
This would be useful for security reasons in our application. We're building a review-tool-bot that merges Pull Requests for us after we signal (via a comment) that the Pull Request is OK to merge. Now, a malicious person could theoretically introduce a new commit to their Pull Request branch, while the Request to merge is still on the way (either from the GitHub comment webhook to the bot, or from the bot to the GitHub API). If the SHA-1 doesn't match, the merge should be denied by GitHub.
The text was updated successfully, but these errors were encountered: