mirror of
https://github.com/google/blockly.git
synced 2026-01-08 09:30:06 +01:00
7ff6b93eb5
* refactor: Inline assign_reviewers script to avoid checkout Per https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ it is not safe to do a checkout of the submitter-supplied code AND THEN RUN IT (via require). This is pretty bad. We want to give this script more permissions by running it `on: [pull_request_target]` (instead of `pull_request`); this would give it permission to modify the PR (e.g. add comments, change assignment). While it would be OK to do a checkout with default parameters (which in `pull_request_target` would check out *our* branch rather than the submitted one) it simplest just to inline this small script and thereby obviate the need to do a checkout at all. * chore: Give assign_reviewers action required permissions Changing it from `on: [pull_request]` to `on: [pull_request_review]` will give the action write access to our repository, allowing it to change the assignment of the PR. This is now safe as the script does not ever check out any submitter-supplied code. * docs: Comment tweaks for assign_reviewers.yml