dannymartinm commented on PR #22703:
URL: https://github.com/apache/beam/pull/22703#issuecomment-1226596137
**Option 3:** Using `pull_request` with “**Require approval from first time
contributors**”
- Pros
- Toil is reduced as only first time contributors are going to require
manual approval.
- Repository security concerns are eliminated as write tokens are not
granted to the `pull_request` directive.
- Cons
- Any person who is not a first time contributor can modify their
workflows and the trigger events, then by opening a PR it will be executed
without the requirement of approval, the untrusted code will run directly in
our self-hosted runners.
**Ideal scenario:** A good scenario from our perspective would be to use
`pull_request` and be able to lock the workflow to external modifications while
still allowing to execute the safe ones from master without external approval.
* Unfortunately, **we haven’t found a way** with the options provided by
GitHub to ensure the integrity of the workflow while still allowing executions
from verified master jobs without external approval (Acting as a combination of
the integrity feature of `pull_request_target` and repository security of
`pull_request`).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
