Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: make CodeQL check triggered on pull_request_target #31575

Closed
wants to merge 1 commit into from
Closed

chore: make CodeQL check triggered on pull_request_target #31575

wants to merge 1 commit into from

Conversation

rix0rrr
Copy link
Contributor

@rix0rrr rix0rrr commented Sep 26, 2024

If we trigger the workflow on pull_request, a human has to approve it.

Workflows on pull_request_target can run freely.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@rix0rrr
chore: make CodeQL check triggered on pull_request_target
76449dd 
If we trigger the workflow on `pull_request`, a human has to approve it.

Workflows on `pull_request_target` can run freely.
@rix0rrr rix0rrr requested a review from a team September 26, 2024 16:07
@github-actions github-actions bot added the p2 label Sep 26, 2024
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Sep 26, 2024
iliapolo
iliapolo requested changes Sep 26, 2024
View reviewed changes
.github/workflows/codeql.yml
@@ -3,14 +3,14 @@ name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
pull_request_target:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't. This workflow runs checkout. See https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It runs checkout, but it doesn't run any scripts from the checkout.

Instead, it runs GitHub's Code analyzer ON the checkout.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 76449dd
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Sep 30, 2024

Decided we're not comfortable with this. There's no guarantee there won't be a buffer overflow in the CodeQL analyzer.

@rix0rrr rix0rrr closed this Sep 30, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 30, 2024
@rix0rrr rix0rrr deleted the huijbers/pr-target branch November 12, 2024 12:44
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@iliapolo iliapolo iliapolo requested changes

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rix0rrr @aws-cdk-automation @iliapolo