You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It currently uses pull_request_target in an unsafe way so we should make sure there's nothing actually dangerous.
Secrets:
Default repo secret
Codecov secret
The first one only has contents: write permission and branch protections means it can't write to main?
Codecov would be able to mess up our coverage somehow but that would not be dangerous...
It currently uses pull_request_target in an unsafe way so we should make sure there's nothing actually dangerous.
Secrets:
The first one only has contents: write permission and branch protections means it can't write to main?
Codecov would be able to mess up our coverage somehow but that would not be dangerous...
We could use https://dev.to/petrsvihlik/using-environment-protection-rules-to-secure-secrets-when-building-external-forks-with-pullrequesttarget-hci to require an approval before building unsafe code. This should be doable only on external PR requests but need to double check.
The text was updated successfully, but these errors were encountered: