From 01cb4f97cd555476d09993a762fc7a1450d675ca Mon Sep 17 00:00:00 2001 From: Matt Pryor Date: Fri, 17 Nov 2023 15:06:29 +0000 Subject: [PATCH] Use environments rather than custom actions to prevent untrusted code from running --- .github/workflows/pr.yaml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index d3035403..208760b2 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -14,18 +14,15 @@ concurrency: cancel-in-progress: true jobs: - # Reusable workflows cannot be used with environments - # https://docs.github.com/en/actions/using-workflows/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow - # So we must use a different mechanism for approvals + # Use a job that does nothing but has an environment as a guard to control + # access to the rest of workflow + # This allows us to control access to test infra for concurrenct and approval reasons wait_for_approval: runs-on: ubuntu-latest + environment: ci-approval steps: - - name: Wait for approval - uses: stackhpc/github-actions/workflow-approve@master - with: - approvers: mkjpryor - # Explicit approval is only required for PRs from external forks - approval-required: ${{ github.event.pull_request.head.repo.full_name != 'stackhpc/capi-helm-charts' && 'yes' || 'no' }} + - name: Workflow approved + run: exit 0 lint: needs: [wait_for_approval]