Template
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo synced 2024-11-25 11:16:11 +01:00
forgejo/services/actions
Jason Song edf98a2dc3
Require approval to run actions for fork pull request (#22803)
Currently, Gitea will run actions automatically which are triggered by
fork pull request. It's a security risk, people can create a PR and
modify the workflow yamls to execute a malicious script.

So we should require approval for first-time contributors, which is the
default strategy of a public repo on GitHub, see [Approving workflow
runs from public
forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks).

Current strategy:

- don't need approval if it's not a fork PR;
- always need approval if the user is restricted;
- don't need approval if the user can write;
- don't need approval if the user has been approved before;
- otherwise, need approval.

https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov

GitHub has an option for that, you can see that at
`/<owner>/<repo>/settings/actions`, and we can support that later.

<img width="835" alt="image"
src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png">

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-24 15:58:49 +08:00
..
clear_tasks.go Implement actions (#21937) 2023-01-31 09:45:19 +08:00
commit_status.go Fix improper HTMLURL usages in Go code (#22839) 2023-02-11 14:34:11 +08:00
init.go Implement actions (#21937) 2023-01-31 09:45:19 +08:00
job_emitter.go Implement actions (#21937) 2023-01-31 09:45:19 +08:00
job_emitter_test.go Implement actions (#21937) 2023-01-31 09:45:19 +08:00
notifier.go Add context cache as a request level cache (#22294) 2023-02-15 21:37:34 +08:00
notifier_helper.go Require approval to run actions for fork pull request (#22803) 2023-02-24 15:58:49 +08:00