mirror of
https://github.com/aljazceru/kata-containers.git
synced 2026-01-02 14:04:22 +01:00
e0d6475b49
We have GH configured so that manual approval is required for CI runs triggered by outside contributors. However, because CI is triggered by the `pull_request_target` event, this setting isn't being honored (see [1]). This means that an attacker could trivially extracts secrets by submitting a PR. This change aims to mititgate this issue by preventing PRs from triggering CI unless the `ok-to-test` label is set. Note: For further context, we use the `pull_request_target` event and manually check out the PR branch because it is the only way to both access secrets and test incoming code changes. Fixes: #7163 [1]: https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks Signed-off-by: Aurélien Bombo <abombo@microsoft.com>