diff options
| author | Jason Song <i@wolfogre.com> | 2023-02-24 15:58:49 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-24 15:58:49 +0800 |
| commit | edf98a2dc30956c8e04b778bb7f1ce55c14ba963 (patch) | |
| tree | 2d8b7708f76a36c27700ab128082bdb976a0753e /models/actions/run.go | |
| parent | a6175b01d92a75dcbadbbfc6782a486636fd62a2 (diff) | |
| download | gitea-edf98a2dc30956c8e04b778bb7f1ce55c14ba963.tar.gz gitea-edf98a2dc30956c8e04b778bb7f1ce55c14ba963.zip | |
Require approval to run actions for fork pull request (#22803)
Currently, Gitea will run actions automatically which are triggered by
fork pull request. It's a security risk, people can create a PR and
modify the workflow yamls to execute a malicious script.
So we should require approval for first-time contributors, which is the
default strategy of a public repo on GitHub, see [Approving workflow
runs from public
forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks).
Current strategy:
- don't need approval if it's not a fork PR;
- always need approval if the user is restricted;
- don't need approval if the user can write;
- don't need approval if the user has been approved before;
- otherwise, need approval.
https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov
GitHub has an option for that, you can see that at
`/<owner>/<repo>/settings/actions`, and we can support that later.
<img width="835" alt="image"
src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png">
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'models/actions/run.go')
| -rw-r--r-- | models/actions/run.go | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/models/actions/run.go b/models/actions/run.go index 14d191c814..a8d991471e 100644 --- a/models/actions/run.go +++ b/models/actions/run.go @@ -32,11 +32,13 @@ type ActionRun struct { OwnerID int64 `xorm:"index"` WorkflowID string `xorm:"index"` // the name of workflow file Index int64 `xorm:"index unique(repo_index)"` // a unique number for each run of a repository - TriggerUserID int64 - TriggerUser *user_model.User `xorm:"-"` + TriggerUserID int64 `xorm:"index"` + TriggerUser *user_model.User `xorm:"-"` Ref string CommitSHA string IsForkPullRequest bool + NeedApproval bool // may need approval if it's a fork pull request + ApprovedBy int64 `xorm:"index"` // who approved Event webhook_module.HookEventType EventPayload string `xorm:"LONGTEXT"` Status Status `xorm:"index"` @@ -164,10 +166,6 @@ func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWork } run.Index = index - if run.Status.IsUnknown() { - run.Status = StatusWaiting - } - if err := db.Insert(ctx, run); err != nil { return err } @@ -191,7 +189,7 @@ func InsertRun(ctx context.Context, run *ActionRun, jobs []*jobparser.SingleWork job.EraseNeeds() payload, _ := v.Marshal() status := StatusWaiting - if len(needs) > 0 { + if len(needs) > 0 || run.NeedApproval { status = StatusBlocked } runJobs = append(runJobs, &ActionRunJob{ |