Skip to content

Fix backport GitHub Action for forks #1674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 18, 2023
Merged

Fix backport GitHub Action for forks #1674

merged 2 commits into from
Sep 18, 2023

Conversation

pquentin
Copy link
Member

@pquentin pquentin commented Sep 7, 2023
edited
Loading

Due to the way GitHub Actions works, there is no way to backport pull request from forks using the pull_request workflow trigger as it won't have write permissions on the repository. The fix is to use pull_request_target. It is much more dangerous, but is safe if those conditions are met:

  • The code in the pull request can be trusted (it is, since we have merged it)
  • The GitHub Action can be trusted (it is, I have audited it and pinned to a specific hash)

Does my analysis make sense?

@pquentin pquentin requested a review from a team September 7, 2023 17:49
@JoshMock
Copy link
Member

JoshMock commented Sep 7, 2023

I think it makes sense given the code is already merged when the action runs. I'm especially curious if there's historical context around not using pull_request_target on the team, or if InfoSec has concerns.

@flobernd
Copy link
Member

flobernd commented Sep 8, 2023

Your analysis is correct 🙂

I'm especially curious if there's historical context around not using pull_request_target on the team, or if InfoSec has concerns.

The pull_request_target trigger is of limited use in a lot of cases, because instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. If you explicitly use checkout on the merge commit in such workflows, you basically circumvent all the security features introduced for pull_request. In our case this would be fine as the PR is already checked and merged.

@pquentin Did you verify that backport action correctly works under these conditions? Without checking the code, it probably uses the GH API to retrieve the PRs instead of working with the commits directly, but it's probably a good idea to double check.

@pquentin pquentin requested a review from jkakavas September 8, 2023 08:38
@pquentin
Copy link
Member Author

pquentin commented Sep 8, 2023

@pquentin Did you verify that backport action correctly works under these conditions? Without checking the code, it probably uses the GH API to retrieve the PRs instead of working with the commits directly, but it's probably a good idea to double check.

Yes, backport explicitly supports forks. It does not retrieve the PRs, it runs based on the closed and labeled activity types for the pull_request_target workflow trigger (you can see them in the diff of this pull request).

Then it parses the labels sent as part of the payload (to see if a backport is needed at all and to which branch), then clones the repo, cherry-pickes the merged commit, pushes that commit, and opens the backport pull request using the GitHub API.

@pquentin pquentin merged commit 82418c0 into elastic:main Sep 18, 2023
@pquentin pquentin deleted the fix-backport-forks branch September 18, 2023 06:34
This was referenced Sep 20, 2023
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoshMock JoshMock JoshMock approved these changes

@jkakavas jkakavas Awaiting requested review from jkakavas

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pquentin @JoshMock @flobernd