lupyuen commented on issue #18359: URL: https://github.com/apache/nuttx/issues/18359#issuecomment-4300523890
We are mentioned by ASF Infra Team on GitHub Actions Security yay! https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=321719166#GitHubActionsSecurity-Buildstriggeredwithworkflow_run > __Builds triggered with workflow_run__ > A [common technique](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/) for building untrusted code but also using privileges to act on the build result is to split the build into two parts: a low-privilege one triggered by pull_request that runs the untrusted code, stores the result in an artifact, and triggers a second, high-privilege build with workflow_run that acts on that result. ... > An example of a job that is split into two parts like this is the __NuttX PR labeler__, https://github.com/apache/nuttx/blob/master/.github/workflows/labeler.yml and https://github.com/apache/nuttx/blob/master/.github/workflows/pr_labeler.yml. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
