[ 
https://issues.apache.org/jira/browse/NUTCH-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18091135#comment-18091135
 ] 

Sebastian Nagel commented on NUTCH-3186:
----------------------------------------

This issue currently blocks the SonarQube status messages, e.g. 
<https://github.com/apache/nutch/actions/runs/28054337690>:
bq. Refusing to check out fork pull request code from a 'workflow_run' 
workflow. This workflow runs with the base repository's GITHUB_TOKEN, secrets, 
default-branch cache scope, and runner access. Fetching and executing a fork's 
code in that trusted context commonly leads to "pwn request" vulnerabilities. 
To opt in, review the risks at https://gh.io/securely-using-pull_request_target 
and set 'allow-unsafe-pr-checkout: true' on the actions/checkout step.



> Split SonarQube workflow in unprivileged build and privileged analysis part
> ---------------------------------------------------------------------------
>
>                 Key: NUTCH-3186
>                 URL: https://issues.apache.org/jira/browse/NUTCH-3186
>             Project: Nutch
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 1.23
>            Reporter: Sebastian Nagel
>            Priority: Critical
>             Fix For: 1.23
>
>
> The SonarQube workflow defined by {{.github/workflows/sonarcloud.yml}} is run 
> in a single workflow which has access to repository secrets. By splitting the 
> workflow in an unprivileged build and privileged part which performs the 
> analysis and sets the SonarQube status will secure the workflow secrets.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to