Skip to end of metadata
Go to start of metadata
Participants
Discussion topics
Item | Notes |
---|
General updates | |
Things to review | OE license security for PRs from forks JM – Playground for “Trusted user posts a special GH comment that allows CI on the latest commit to have access to secrets”
JM – Generally, this would be possible, but we’d either need to duplicate all the CI yamls to have trusted and untrusted variants, or Add ~100 lines to each CI yaml to add trust-detection logic
So basically, it’s not possible to have an external file that can just be added to repos to make a “magic word” for maintainers to allow CI secret access to previous commit.
Decision – After one research cycle on this, we’ve decided not to try rolling our own privileged/fine-grained secrets access for PRs from forks. Instead, when people open a new PR to master , a maintainer will make a new branch (like contrib-987 )off master, redirect the PR to that, expect that secrets-requiring CI will fail, merge the PR into contrib-987 , then the maintainer will open a PR from contrib-987 into master and merge if CI passes.
|
Next steps | |
Action items
Decisions
0 Comments