Searched hist:e97a138aba3f477dee888d0978e25ab2b7d78819 (Results 1 – 1 of 1) sorted by relevance
| /optee_os/.github/workflows/ |
| H A D | notify.yml | e97a138aba3f477dee888d0978e25ab2b7d78819 Thu Nov 20 13:08:23 UTC 2025 Jerome Forissier <jerome.forissier@linaro.org> ci: notify_maintainers: fix source code comparison (really)
Fix yet another permission issue with the notify workflow [1]. The
GitHub Copilot gives the following diagnostic:
"pull_request_target does grant a write-capable GITHUB_TOKEN, but you
must run the trusted code (from the target/base branch) when using that
token. Your workflow checks that the notify script wasn't modified, but
then checks out the PR head and runs the script from the untrusted PR;
that makes the token unavailable/limited for writes."
Let's check out the PR head in the run: step of the job instead of
giving it to actions/checkout.
Link: https://github.com/OP-TEE/optee_os/actions/runs/19567616329/job/56033348650?pr=7584 [1]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|