Safe template updating #98
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GitHub intentionally prevents self-modifying CI pipelines, template repos silently injecting workflows, and supply-chain attacks via Actions. What this means is that any changes in the Az-RBSI ``.github/workflows/`` directory cannot be updated via the Template Sync action. Previously, the action would simply crash and not produce the desired PR in the target repository. This update removes any commit from Az-RBSI that was to be cherry-picked that contans updates to the ``.github/workflows/`` directory from the squash-commit PR. Thusly removed commits are noted in the PR for manual review. The upshot of all of this is that any PR or commit to ``main`` in Az-RBSI that contains updates to the ``.github/workflows/`` directory should contain ONLY updates to the ``.github/workflows/`` directory so as to not cause important Java code updates from being missed by the Template Sync action.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GitHub intentionally prevents self-modifying CI pipelines, template repos silently injecting workflows, and supply-chain attacks via Actions. What this means is that any changes in the Az-RBSI
.github/workflows/directory cannot be updated via the Template Sync action.Previously, the action would simply crash and not produce the desired PR in the target repository. This update removes any commit from Az-RBSI that was to be cherry-picked that contans updates to the
.github/workflows/directory from the squash-commit PR. Thusly removed commits are noted in the PR for manual review.The upshot of all of this is that any PR or commit to
mainin Az-RBSI that contains updates to the.github/workflows/directory should contain ONLY updates to the.github/workflows/directory so as to not cause important Java code updates from being missed by the Template Sync action.