[jira] [Commented] (HADOOP-19868) ci: add security comments to github actions

Wed, 22 Apr 2026 13:22:29 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18075554#comment-18075554
 ] 

ASF GitHub Bot commented on HADOOP-19868:
-----------------------------------------

steveloughran commented on code in PR #8450:
URL: https://github.com/apache/hadoop/pull/8450#discussion_r3126691171


##########
.github/workflows/tmpl_build_and_test.yml:
##########
@@ -86,6 +90,20 @@ jobs:
     name: Build Image ${{ inputs.os }}-${{ inputs.branch }}
     runs-on: ubuntu-24.04
     needs: [ precondition ]
+    # Security: this does not leak write access for our image repository to
+    # forked repos.
+    #
+    # We have `packages: write` permissions for our GITHUB_TOKEN below. 
However:
+    #
+    # - For `pull_request`, GitHub downgrades GITHUB_TOKEN permissions to
+    #   read-only.
+    # - For `push` triggers on a fork, the GITHUB_TOKEN retains write
+    #   permissions, but the `push` is happening in the context of the fork, 
not
+    #   the upstream repo.
+    # - For `pull_request_target` (risky), the write permission is
+    #   overridden by our repository's setting "Send write tokens to workflows
+    #   from pull requests" which should be disabled.
+    #   See https://issues.apache.org/jira/browse/INFRA-27839 for confirmation.

Review Comment:
   can we change our repo?





> ci: add security comments to github actions
> -------------------------------------------
>
>                 Key: HADOOP-19868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19868
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: test
>            Reporter: Aaron Fabbri
>            Assignee: Aaron Fabbri
>            Priority: Minor
>              Labels: pull-request-available
>
> Following up on HADOOP-19858, I have a patch for some `# Security:` comments 
> to add to our github actions to explain why each workflow is safe. 
> I'm also following up on INFRA-27839, just to double check they haven't 
> enabled any risky defaults. I'll add comments with any details I find.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to