Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tools: ensure the PR was not pushed before merging #40747

Merged
merged 1 commit into from
Nov 7, 2021
Merged

tools: ensure the PR was not pushed before merging #40747

merged 1 commit into from
Nov 7, 2021

Conversation

aduh95
Copy link
Contributor

@aduh95 aduh95 commented Nov 6, 2021

When using Squash and Merge feature, it would allow to a malicious actor to push unreviewed code to their PR while the CQ is running and bypass the usual checks.
This PR adds a check to refuse to land if the head of the PR branch is different from the one validated by ncu.

@aduh95
tools: ensure the PR was not pushed before merging
8f1e23b 
When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.
@nodejs-github-bot nodejs-github-bot added the tools Issues and PRs related to the tools directory. label Nov 6, 2021
@aduh95
Copy link
Contributor Author

aduh95 commented Nov 6, 2021

/cc @nodejs/actions

@aduh95 aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. fast-track PRs that do not need to wait for 48 hours to land. labels Nov 6, 2021
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2021

Fast-track has been requested by @aduh95. Please 👍 to approve.

@aduh95 aduh95 merged commit 96e00e0 into nodejs:master Nov 7, 2021
@aduh95
Copy link
Contributor Author

aduh95 commented Nov 7, 2021

Landed in 96e00e0

@aduh95 aduh95 deleted the cq-merge-sha-validation branch November 7, 2021 11:08
targos pushed a commit that referenced this pull request Nov 8, 2021
@aduh95 @targos
tools: ensure the PR was not pushed before merging
a3df50d 
When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.

PR-URL: #40747
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Voltrex <mohammadkeyvanzade94@gmail.com>
@targos targos mentioned this pull request Nov 8, 2021
Merged
BethGriggs pushed a commit that referenced this pull request Nov 25, 2021
@aduh95 @BethGriggs
tools: ensure the PR was not pushed before merging
cba8eaf 
When using Squash and Merge feature, it would allow to a malicious
actor to push unreviewed code to their PR while the CQ is running and
bypass the usual checks.
This commit adds a check to refuse to land if the head of the PR
branch is different from the one validated by ncu.

PR-URL: #40747
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Voltrex <mohammadkeyvanzade94@gmail.com>
@BethGriggs BethGriggs mentioned this pull request Nov 26, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VoltrexKeyva VoltrexKeyva VoltrexKeyva approved these changes

@tniessen tniessen tniessen approved these changes

@targos targos targos approved these changes

Assignees
No one assigned
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. fast-track PRs that do not need to wait for 48 hours to land. tools Issues and PRs related to the tools directory.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aduh95 @targos @tniessen @VoltrexKeyva @nodejs-github-bot