workflows/check: run codeowners validator from trusted checkout
In f7d6d11e8e I wrongly assumed that
running from the untrusted checkout should be fine for the codeowners
validator, because we removed all the logic for privileged tokens.
However, this job also contains access to the cachix secret, which could
be used to push malicious code to cachix, which would then be pulled by
a more privileged workflow like reviewers.yml later.
This commit is contained in:
Wolfgang Walther
3
.github/workflows/check.yml
vendored
3
.github/workflows/check.yml
vendored
@@ -80,6 +80,7 @@ jobs:
|
||||
uses: ./.github/actions/checkout
|
||||
with:
|
||||
merged-as-untrusted-at: ${{ inputs.mergedSha }}
|
||||
target-as-trusted-at: ${{ inputs.targetSha }}
|
||||
|
||||
- uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31
|
||||
|
||||
@@ -92,7 +93,7 @@ jobs:
|
||||
pushFilter: -source$
|
||||
|
||||
- name: Build codeowners validator
|
||||
run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator
|
||||
run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator
|
||||
|
||||
- name: Validate codeowners
|
||||
env:
|
||||
|
||||
Reference in New Issue
Block a user