mirror of
https://github.com/servo/servo.git
synced 2025-06-06 16:45:39 +00:00
ci: fix security issue in try job workflow (#32724)
This [issue][1] was reported by GitHub user @RedYetiDev via the Security
Advisory reporting mechanism on GitHub. The fix is also based on their
proposed solution.
The issue is that `refs/pull/{pr_number}/head` points to the latest
commit of a PR and so it could be different than the commit that was
reviewed when the try label was applied. The fix is to use the exact commit
sha at the point when the try job is triggered, which is available in
the `github` context as `github.event.pull_request.head.sha`.
[1]: https://github.com/servo/servo/security/advisories/GHSA-fxqr-xgh8-3577
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Co-authored-by: Aviv Keller <38299977+RedYetiDev@users.noreply.github.com>
This commit is contained in:
Mukilan Thiyagarajan
GitHub
parent
099b5607b9
commit
b243457ccc
6 changed files with 13 additions and 16 deletions
2
.github/workflows/windows.yml
vendored
2
.github/workflows/windows.yml
vendored
|
|
@ -57,7 +57,7 @@ jobs:
|
|||
- uses: actions/checkout@v4
|
||||
if: github.event_name == 'pull_request_target'
|
||||
with:
|
||||
ref: refs/pull/${{ github.event.number }}/head
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
fetch-depth: 2
|
||||
# Workaround for https://github.com/actions/runner-images/issues/10001:
|
||||
- name: Upgrade llvm
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue