Skip to content

Change check run "pull_request" trigger to "pull_request_target" #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BenjaminTJohnson merged 5 commits into from
Feb 2, 2026
Merged

Change check run "pull_request" trigger to "pull_request_target" #293

BenjaminTJohnson merged 5 commits into from
Feb 2, 2026

Conversation

@eap
Copy link
Contributor

@eap eap commented Jan 30, 2026
edited
Loading

Change check run "pull_request" trigger to "pull_request_target". This will allow pull requests from forks to execute in the correct CI environment with access to the secret keys needed to launch the test on EC2.

I also changed the configuration on this repo to require approval for PR check-runs on pulls from members outside our organization. This will prevent people from issuing "PWN Requests" to harvest our tasty AWS secrets.

One other security note here; the credentials at risk here are very limited in scope (because they were issued with risk management in mind) The AWS credentials only allow for CI launching (and that is rate-limited by budget controls). The git credentials allow read-only access to repos required for the test.

@eap eap requested a review from BenjaminTJohnson January 30, 2026 22:15
@eap eap self-assigned this Jan 30, 2026
@eap
Copy link
Contributor Author

eap commented Jan 30, 2026

Evidently CI is broken here. I'll do a little digging using this PR.

eap added 3 commits January 30, 2026 15:55
@eap
Update start-jedi-ci.yaml
fd76190 
Add secret debug. Also I think the answer is that the secret key has to be in the fork repo. So there needs to be a workaround to fix this.
@eap
Use pull_request_target and gated environment.
7de6521
@eap
environment not needed, action permission is a global setting.
a494ebc
eap
eap commented Jan 30, 2026
View reviewed changes
BenjaminTJohnson
BenjaminTJohnson requested changes Feb 2, 2026
View reviewed changes
Copy link
Contributor

@BenjaminTJohnson BenjaminTJohnson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just remove the part that tier2 test_check_crtm_random, leaving the CI modification.

@eap eap changed the title Update crtm test "test_check_crtm_random" with "tier2" label. Change check run "pull_request" trigger to "pull_request_target" Feb 2, 2026
@eap eap requested a review from BenjaminTJohnson February 2, 2026 17:50
@BenjaminTJohnson BenjaminTJohnson merged commit 5b63e4b into JCSDA:develop Feb 2, 2026
@eap eap deleted the feature/random_test_tier2 branch February 2, 2026 17:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BenjaminTJohnson BenjaminTJohnson BenjaminTJohnson approved these changes

Assignees

@eap eap

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eap @BenjaminTJohnson