[
https://issues.apache.org/jira/browse/NUTCH-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091135#comment-18091135
]
Sebastian Nagel commented on NUTCH-3186:
----------------------------------------
This issue currently blocks the SonarQube status messages, e.g.
<https://github.com/apache/nutch/actions/runs/28054337690>:
bq. Refusing to check out fork pull request code from a 'workflow_run'
workflow. This workflow runs with the base repository's GITHUB_TOKEN, secrets,
default-branch cache scope, and runner access. Fetching and executing a fork's
code in that trusted context commonly leads to "pwn request" vulnerabilities.
To opt in, review the risks at https://gh.io/securely-using-pull_request_target
and set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.
> Split SonarQube workflow in unprivileged build and privileged analysis part
> ---------------------------------------------------------------------------
>
> Key: NUTCH-3186
> URL: https://issues.apache.org/jira/browse/NUTCH-3186
> Project: Nutch
> Issue Type: Bug
> Components: build
> Affects Versions: 1.23
> Reporter: Sebastian Nagel
> Priority: Critical
> Fix For: 1.23
>
>
> The SonarQube workflow defined by {{.github/workflows/sonarcloud.yml}} is run
> in a single workflow which has access to repository secrets. By splitting the
> workflow in an unprivileged build and privileged part which performs the
> analysis and sets the SonarQube status will secure the workflow secrets.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)