On Wed, Dec 30, 2020, 1:25 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > > This is only sorry of correct. If you are using the standard checkout > > action and install a package from pypi/npm at a later step that package > > absolutely can push to the Apache repo when it runs in a push context (pr > > context it is read-only). This later step does not need the token passed > to > > it. > > > > Are you sure of that? Can you please double check it? If it is then > I think we need to immediately raise a critical security issue to GitHub. > > My understanding was, that by default the github checkout action is > not authenticated at all (when you do not pass the token). Authentication > is not needed for Checkout because all apache repos are public, So as I > understood it - the 'persits' case is only in the case if you actually pass > a token > or SSH key (which you can do for external repos). >
I am quite sure. We use this feature to be able to publish our site. Note that the auth only has the context to do this on a push. So the PR build only verifies the build. Once it is merged a push job is triggered which can commit to the asf-site branch. We use pipenv to pin our build dependencies in this case. https://github.com/apache/incubator-nuttx-website/blob/master/.github/workflows/main.yml --Brennan >
