1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-26 13:29:12 -05:00
forgejo/services
Jason Song edf98a2dc3
Require approval to run actions for fork pull request (#22803)
Currently, Gitea will run actions automatically which are triggered by
fork pull request. It's a security risk, people can create a PR and
modify the workflow yamls to execute a malicious script.

So we should require approval for first-time contributors, which is the
default strategy of a public repo on GitHub, see [Approving workflow
runs from public
forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks).

Current strategy:

- don't need approval if it's not a fork PR;
- always need approval if the user is restricted;
- don't need approval if the user can write;
- don't need approval if the user has been approved before;
- otherwise, need approval.

https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov

GitHub has an option for that, you can see that at
`/<owner>/<repo>/settings/actions`, and we can support that later.

<img width="835" alt="image"
src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png">

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-02-24 15:58:49 +08:00
..
actions Require approval to run actions for fork pull request (#22803) 2023-02-24 15:58:49 +08:00
agit Rename almost all Ctx functions (#22071) 2022-12-10 10:46:31 +08:00
asymkey Add context cache as a request level cache (#22294) 2023-02-15 21:37:34 +08:00
attachment Add API management for issue/pull and comment attachments (#21783) 2022-12-09 14:35:56 +08:00
auth Use minio/sha256-simd for accelerated SHA256 (#23052) 2023-02-22 14:21:46 -05:00
automerge Add force_merge to merge request and fix checking mergable (#23010) 2023-02-21 08:42:07 -06:00
context Support org/user level projects (#22235) 2023-01-20 19:42:33 +08:00
convert Fix SyncOnCommit always return false in API of push_mirrors (#23088) 2023-02-23 15:50:33 -06:00
cron Add Cargo package registry (#21888) 2023-02-05 18:12:31 +08:00
externalaccount Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
forms Add force_merge to merge request and fix checking mergable (#23010) 2023-02-21 08:42:07 -06:00
gitdiff Refactor git command package to improve security and maintainability (#22678) 2023-02-04 10:30:43 +08:00
issue Webhooks: for issue close/reopen action, add commit ID that caused it (#22583) 2023-01-24 23:47:53 -05:00
lfs Use minio/sha256-simd for accelerated SHA256 (#23052) 2023-02-22 14:21:46 -05:00
mailer Use minio/sha256-simd for accelerated SHA256 (#23052) 2023-02-22 14:21:46 -05:00
markup Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
migrations Scoped labels (#22585) 2023-02-18 21:17:39 +02:00
mirror Use proxy for pull mirror (#22771) 2023-02-11 08:39:50 +08:00
org Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
packages Use import of OCI structs (#22765) 2023-02-06 10:07:09 +00:00
pull Add force_merge to merge request and fix checking mergable (#23010) 2023-02-21 08:42:07 -06:00
release Add context cache as a request level cache (#22294) 2023-02-15 21:37:34 +08:00
repository Return empty url for submodule tree entries (#23043) 2023-02-21 12:31:17 -05:00
task Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
user Add context cache as a request level cache (#22294) 2023-02-15 21:37:34 +08:00
webhook Use minio/sha256-simd for accelerated SHA256 (#23052) 2023-02-22 14:21:46 -05:00
wiki Improve utils of slices (#22379) 2023-01-11 13:31:16 +08:00