mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-02-23 14:26:15 -05:00
edf98a2dc3
Currently, Gitea will run actions automatically which are triggered by fork pull request. It's a security risk, people can create a PR and modify the workflow yamls to execute a malicious script. So we should require approval for first-time contributors, which is the default strategy of a public repo on GitHub, see [Approving workflow runs from public forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks). Current strategy: - don't need approval if it's not a fork PR; - always need approval if the user is restricted; - don't need approval if the user can write; - don't need approval if the user has been approved before; - otherwise, need approval. https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov GitHub has an option for that, you can see that at `/<owner>/<repo>/settings/actions`, and we can support that later. <img width="835" alt="image" src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png"> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|---|---|---|
| .. | ||
| actions | ||
| activities | ||
| admin | ||
| asymkey | ||
| auth | ||
| avatars | ||
| db | ||
| dbfs | ||
| fixtures | ||
| git | ||
| issues | ||
| migrations | ||
| organization | ||
| packages | ||
| perm | ||
| project | ||
| pull | ||
| repo | ||
| secret | ||
| system | ||
| unit | ||
| unittest | ||
| user | ||
| webhook | ||
| error.go | ||
| fixture_generation.go | ||
| fixture_test.go | ||
| main_test.go | ||
| migrate.go | ||
| migrate_test.go | ||
| org.go | ||
| org_team.go | ||
| org_team_test.go | ||
| org_test.go | ||
| repo.go | ||
| repo_collaboration.go | ||
| repo_collaboration_test.go | ||
| repo_test.go | ||
| repo_transfer.go | ||
| repo_transfer_test.go | ||
