[llvm] [workflows] Split pr-code-format into two parts to make it more secure (PR #78216)
Aiden Grossman via llvm-commits
llvm-commits at lists.llvm.org
Wed Jan 31 23:28:00 PST 2024
https://github.com/boomanaiden154 approved this pull request.
This LGTM. Since we're checking out the same ref as before `github.event.pull_request.head.sha`, there shouldn't be any new issues. Smoke tests on that would be good though (as well as in general to test that the whole setup works as expected).
There is somewhat of a security hole as mentioned before where someone could modify the workflow to produce whatever comment text/id that they want, but this should be caught before someone hits approve on the workflow and if someone does get by that, given the current mitigations, they can only post a comment on the PR which I don't think is that big of a deal.
It would be good if we could get this landed. I think switching to `pull_request` and running code formatting over the merge commit would fix https://github.com/llvm/llvm-project/issues/79661, but that fix requires landing this first.
https://github.com/llvm/llvm-project/pull/78216
More information about the llvm-commits
mailing list