[
https://issues.apache.org/jira/browse/HADOOP-19858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18073581#comment-18073581
]
ASF GitHub Bot commented on HADOOP-19858:
-----------------------------------------
ajfabbri commented on PR #8412:
URL: https://github.com/apache/hadoop/pull/8412#issuecomment-4246865795
Things to understand:
1. What actions/steps are trusted versus untrusted and how are we separating
them.
2. Do we guard against malicious container image creation? (e.g. a PR which
modifies Dockerfiles, and has package: write permissions to publish it where
other jobs may reuse it)
3. Confirm we do not have any `secrets: inherit` or `pull_request_target`
usage that could leak our GITHUB_TOKEN
> Set up build workflow in GitHub Actions
> ---------------------------------------
>
> Key: HADOOP-19858
> URL: https://issues.apache.org/jira/browse/HADOOP-19858
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: build
> Reporter: Cheng Pan
> Priority: Major
> Labels: pull-request-available
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]