adonis0147 opened a new pull request, #24761: URL: https://github.com/apache/doris/pull/24761
## Proposed changes ~~Issue Number: close #xxx~~ The workflow `Code Checks` needs write permissions granted by the event `pull_request_target` to comment on pull requests. However, if the workflow runs users' code, the malicious code would do some dangerous action on our repository. The following changes are made in this PR: 1. Instead of applying patches, we use `sed` to modify the `entrypoint.sh` in action-sh-checker explicitly in the workflow. 2. Revoke the write permissions when generating `compile_commands.json` which is produced by executing the build script `build.sh`. ## Further comments If this is a relatively large or complex change, kick off the discussion at [[email protected]](mailto:[email protected]) by explaining why you chose the solution you did and what alternatives you considered, etc... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
