Audit presubmit workflow for security problems
Opened this issue · 0 comments
melink14 commented
It currently uses pull_request_target in an unsafe way so we should make sure there's nothing actually dangerous.
Secrets:
- Default repo secret
- Codecov secret
The first one only has contents: write permission and branch protections means it can't write to main?
Codecov would be able to mess up our coverage somehow but that would not be dangerous...
We could use https://dev.to/petrsvihlik/using-environment-protection-rules-to-secure-secrets-when-building-external-forks-with-pullrequesttarget-hci to require an approval before building unsafe code. This should be doable only on external PR requests but need to double check.