ajfabbri commented on code in PR #8450:
URL: https://github.com/apache/hadoop/pull/8450#discussion_r3125831330
##########
.github/workflows/tmpl_build_and_test.yml:
##########
@@ -86,6 +90,19 @@ jobs:
name: Build Image ${{ inputs.os }}-${{ inputs.branch }}
runs-on: ubuntu-24.04
needs: [ precondition ]
+ # Security: this does not leak write access for our image repository to
+ # forked repos.
+ #
+ # We have `packages: write` permissions for our GITHUB_TOKEN below.
However:
+ #
+ # - For `pull_request`, GitHub downgrades GITHUB_TOKEN permissions to
+ # read-only.
+ # - For `push` triggers on a fork, the GITHUB_TOKEN retains write
+ # permissions, but the `push` is happening in the context of the fork,
not
+ # the upstream repo.
+ # - For `pull_request_target` (not used here), image repo permissions are
+ # scoped to the repository they run on. This prevents forks from writing
+ # to our Apache Hadoop image repo.
Review Comment:
I am learning as I go, so thank you for all the discussion!
I was just looking for documentation. My understanding is that, for Actions,
ghcr.io has tight integration which inherits the security settings of the
repository. Here's a non-official reference:
https://www.gecko.security/blog/ghcr-github-container-registry-guide
See the table under "GHCR vs Docker Hub..."
```
Inherits permissions directly from GitHub repository settings; unified
access management with source code
--
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
