Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not run snyk pr comment workflow on forks #11240

Merged
merged 5 commits into from
Nov 16, 2023
Merged

Do not run snyk pr comment workflow on forks #11240

merged 5 commits into from
Nov 16, 2023

Conversation

trevorwhitney
Copy link
Collaborator

Only run the vulnerability scan jobs on PRs from branches, not on forks.

The other option here would be to change the on to pull_request_target, but I'm not confident we could still run the snyk scan in that case as it relies on secrets.SNYK_TOKEN. This action is more informative anyway, so I'm fine with only running it on branches.

@trevorwhitney trevorwhitney requested a review from a team as a code owner November 15, 2023 23:06
@github-actions GitHub Actions
Copy link
Contributor

Trivy scan found the following vulnerabilities:

@MasslessParticle
Copy link
Contributor

Wouldn't this disable security scanning on community-submitted PRs? Is there a way we could do that?

@trevorwhitney
Copy link
Collaborator Author

It's just the scan that produces the comments like the one above. The problem is PRs from forks don't get ${{ secrrets.GITHUB_TOKEN }}, and so they can't comment. We can try changing the trigger to on: pull_request_target, but then we'd have to lose the SNYK_SECRET we're using. Snyk might work without that since I think the secret is only for reporting back up to your project on their SaaS service, so I can try that?

@trevorwhitney
Copy link
Collaborator Author

@MasslessParticle so yeah, snyk needs a security token: https://github.com/grafana/loki/actions/runs/6884061084/job/18725837632?pr=11240.

So our options are:

  1. only run this on PRs from branches, not forks
  2. change to on: pull_request_target but remove snyk
  3. split this up into 2 workflows. change the trivy workflow to on: pull_request_target, and guard the snyk workflow to only run on PRs from branches.

@MasslessParticle
Copy link
Contributor

That makes sense. I think two workflows makes the most sense. I've approved this because it looks good and seems like one of the two needed workflows

@pull-request-size pull-request-size bot added size/M and removed size/S labels Nov 16, 2023
@trevorwhitney trevorwhitney changed the title Do not run vulnerability scans on forks Do not run snyk pr comment workflow on forks Nov 16, 2023
@trevorwhitney trevorwhitney merged commit 5c59483 into main Nov 16, 2023
6 checks passed
@trevorwhitney trevorwhitney deleted the trivy-on-target-branch branch November 16, 2023 18:05
jeschkies pushed a commit that referenced this pull request Nov 21, 2023
@trevorwhitney @jeschkies
Do not run snyk pr comment workflow on forks (#11240)
8a8d153 
Only run the snyk pr comment workflow on PRs from branches, not on forks. We can't run this `on: pull_request_target` because in needs access to the `SNYK_TOKEN` secret, and when run `on: pull_request`, forks don't have permissions to comment on the PR (because they don't get the `GITHUB_TOKEN` secret.
rhnasc pushed a commit to inloco/loki that referenced this pull request Apr 12, 2024
@trevorwhitney @rhnasc
Do not run snyk pr comment workflow on forks (grafana#11240)
8038e1d 
Only run the snyk pr comment workflow on PRs from branches, not on forks. We can't run this `on: pull_request_target` because in needs access to the `SNYK_TOKEN` secret, and when run `on: pull_request`, forks don't have permissions to comment on the PR (because they don't get the `GITHUB_TOKEN` secret.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MasslessParticle MasslessParticle MasslessParticle approved these changes

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@trevorwhitney @MasslessParticle