Skip to content

chore(ci): harden package_for_test against untrusted PR checkout#3497

Open
zhangsoledad wants to merge 1 commit into
developfrom
improve_package_for_test
Open

chore(ci): harden package_for_test against untrusted PR checkout#3497
zhangsoledad wants to merge 1 commit into
developfrom
improve_package_for_test

Conversation

@zhangsoledad

Copy link
Copy Markdown
Member
  • Require maintainer approval via package-for-test environment for issue_comment triggers.
  • Do not expose GITHUB_TOKEN to packaging steps when triggered by PR comments.
  • Restrict slash command to exact "/package" body.
  • Use --frozen-lockfile on yarn install for PR-comment builds.
  • Add SECURITY NOTE about keeping refs/pull//merge checkout.

- Require maintainer approval via package-for-test environment for
  issue_comment triggers.
- Do not expose GITHUB_TOKEN to packaging steps when triggered by PR
  comments.
- Restrict slash command to exact "/package" body.
- Use --frozen-lockfile on yarn install for PR-comment builds.
- Add SECURITY NOTE about keeping refs/pull/<n>/merge checkout.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants