Unverified Commit 9718f295 authored by Wolfgang Walther's avatar Wolfgang Walther
Browse files

workflows/check: run codeowners validator from trusted checkout 

In f7d6d11e I wrongly assumed that
running from the untrusted checkout should be fine for the codeowners
validator, because we removed all the logic for privileged tokens.
However, this job also contains access to the cachix secret, which could
be used to push malicious code to cachix, which would then be pulled by
a more privileged workflow like reviewers.yml later.
parent 0b1deb8c

.github/workflows/check.yml

+2 −1
Original line number Diff line number Diff line
@@ -80,6 +80,7 @@ jobs: 
        uses: ./.github/actions/checkout

        with:

          merged-as-untrusted-at: ${{ inputs.mergedSha }}

          target-as-trusted-at: ${{ inputs.targetSha }}



      - uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31
@@ -92,7 +93,7 @@ jobs: 
          pushFilter: -source$



      - name: Build codeowners validator

        run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator

        run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator



      - name: Validate codeowners

        env: