pan3793 commented on PR #8412: URL: https://github.com/apache/hadoop/pull/8412#issuecomment-4248733453
@ajfabbri > So for building the container image, this is just a convenience to get a stable toolchain for doing the maven build. I feel like this should be a trusted action, that we don't run on fork PRs. I'm not sure it's a trusted action. Contributors can modify the Dockerfile, for example, they can write some evil instructions in the Dockerfile `RUN send-secrets-to-my-server`, the instructions will be evaluated during building the image. Let me explain my thoughts about the security models: assumption: - we should trust all committers who have write permission on the apache/hadoop repo - we should trust the code in the apache/hadoop repo, either committed by committers directly, or checked in from PR/patch - we treat the PR code (from the forked repo) as untrusted the current proposed workflow for PR - the `.github/workflows/build_and_test.yml` will be triggered on the contributor's forked repo, so it's fine to grant write permission (note, it's write permission of the forked repo, not apache/hadoop repo) - the images will only be pushed to the forked repo's registry - the `.github/workflows/notify_test_workflow.yml` runs on `pull_request_target`, but it only runs the predefined script (trusted code), so it won't be affected by contributors' changes for apache/hadoop - as listed in the assumption section, we should trust the code in the apache/hadoop repo -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
