ajfabbri commented on code in PR #8450:
URL: https://github.com/apache/hadoop/pull/8450#discussion_r3125646744
##########
.github/workflows/tmpl_build_and_test.yml:
##########
@@ -86,6 +90,20 @@ jobs:
name: Build Image ${{ inputs.os }}-${{ inputs.branch }}
runs-on: ubuntu-24.04
needs: [ precondition ]
+ # Security: this does not leak write access for our image repository to
+ # forked repos.
+ #
+ # We have `packages: write` permissions for our GITHUB_TOKEN below.
However:
+ #
+ # - For `pull_request`, GitHub downgrades GITHUB_TOKEN permissions to
+ # read-only.
+ # - For `push` triggers on a fork, the GITHUB_TOKEN retains write
+ # permissions, but the `push` is happening in the context of the fork,
not
+ # the upstream repo.
+ # - For `pull_request_target` (risky), the write permission is
+ # overridden by our repository's setting "Send write tokens to workflows
+ # from pull requests" which should be disabled.
+ # See https://issues.apache.org/jira/browse/INFRA-27839 for confirmation.
Review Comment:
Yes, two different settings but both are relevant. I was concerned with the
"Send write tokens to workflows" setting, but it doesn't exist for public
repositories.
For this Workflow Permissions setting, newer repositories default to the
second "read-only" option. Our repository was created before that change.
Specifying minimal permissions in workflows is our mitigation, but we should
consider changing the default in the future.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
