Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IGNITE-23820 Restore 'checkout' in sonar-pr-from-fork-build.yml #11721

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

raboof
Copy link
Member

@raboof raboof commented Dec 9, 2024

Follow-up on 964dc48 which removed the checkout from the pull-request workflow entirely. This should now check out the default rev (which should be the code from the PR as it was when the workflow was approved).

Thank you for submitting the pull request to the Apache Ignite.

In order to streamline the review of the contribution
we ask you to ensure the following steps have been taken:

The Contribution Checklist

  • There is a single JIRA ticket related to the pull request.
  • The web-link to the pull request is attached to the JIRA ticket.
  • The JIRA ticket has the Patch Available state.
  • The pull request body describes changes that have been made.
    The description explains WHAT and WHY was made instead of HOW.
  • The pull request title is treated as the final commit message.
    The following pattern must be used: IGNITE-XXXX Change summary where XXXX - number of JIRA issue.
  • A reviewer has been mentioned through the JIRA comments
    (see the Maintainers list)
  • The pull request has been checked by the Teamcity Bot and
    the green visa attached to the JIRA ticket (see TC.Bot: Check PR)

Notes

If you need any help, please email [email protected] or ask anу advice on http://asf.slack.com #ignite channel.

@skorotkov
Copy link
Contributor

skorotkov commented Dec 10, 2024

Hi Arnout Engelen,

Thanks!

Now it does the build.

I think we still need to return back the fetch of the PR's base branch (which is master in fact) from the upstream (main ignite) repo. Otherwise the Sonar would fail to detect the "new lines of code" if fork's master is not synchronized with main repo.

See details at https://community.sonarsource.com/t/how-to-use-sonarcloud-with-a-forked-repository-on-github/7363/32

Do you see any security risks in fetching of the master branch from the main ignite repo?


I mean the following section

      - name: Checkout PR base branch
        run: |
          git remote add upstream ${{ github.event.repository.clone_url }}
          git fetch upstream
          git checkout -B $pr_base_ref upstream/$pr_base_ref
          git checkout ${{ github.event.workflow_run.head_branch }}
          git clean -ffdx && git reset --hard HEAD

@raboof
Copy link
Member Author

raboof commented Dec 10, 2024

I think that should be OK, as we trust $pr_base_ref (because it should have been reviewed). Hardcoding ${{ github.event.repository.clone_url }} and ${{ github.event.workflow_run.head_branch }} (as -) might be nice just to reduce attack surface - I guess perhaps we could even hard-code $pr_base_ref (as master)?

@skorotkov
Copy link
Contributor

Yes we may hardcode the ${{ github.event.repository.clone_url }} and
replace ${{ github.event.workflow_run.head_branch }} with github.event.workflow_run.head_sha. - also may work but should be tested.

As far as the $pr_base_ref. I wouldn't hardcode it. Sometimes mainteners want to do PRs to some non-master branch which accumulates changes for some big feature. See the recent example #11618

Follow-up on 964dc48 which removed the checkout from the pull-request
workflow entirely. This should now check out the default rev (which
should be the code from the PR as it was when the workflow was
approved).
@raboof raboof force-pushed the run_workflow_on_approved_commit_followup branch from 366fceb to ee9510e Compare December 12, 2024 14:34
Copy link
Contributor

@skorotkov skorotkov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for me now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants