refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input#1064
Conversation
|
Welcome to AICR, @fallintoplace! Thanks for your first pull request. Before review, please ensure:
A maintainer will review this soon. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis PR adds a Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Thanks for the careful write-up on #1063 and for following through with a fix — really appreciate it. The analysis in the issue was spot-on and is what made the security fix easy to land quickly.
Quick context: we merged the minimum-diff fix in #1067 yesterday to close the immediate gap (dropped id-token: write and security-events: write from ok-to-test.yaml's call to qualification.yaml). That's why this branch is now showing dirty against main.
That said, the privileged_ci toggle here is a meaningfully cleaner answer than the implicit-degradation we landed in #1067 — explicit > implicit, no half-coverage from the cli-e2e fork-gate quirk, and the pattern is reusable for any future unprivileged-context invocation. I'd like to keep this PR open and merge it as a refactor on top.
Could you rescope to just the still-net-new parts? After rebasing onto current main:
qualification.yaml: add theprivileged_ciinput (defaulttrue, preserves behavior formerge-gate/on-push/on-tagcallers) and theif: inputs.privileged_cigates oncli-e2eandsecurity-scan. Same as you have today.ok-to-test.yaml: only addprivileged_ci: falseto thewith:block. The permissions block is already cleaned up by #1067 — nothing to do there.- PR title/description: reframe as
refactor(ci): make /ok-to-test's unprivileged status explicit via privileged_ci input. References #1063 / #1067 for context.
One small naming consideration in my inline review — privileged_ci is fine, but trusted_source or trusted_workflow more accurately captures what the flag governs (the trust level of the checked-out ref). Take it or leave it.
Thanks again for the contribution.
03cdaec to
0f76096
Compare
|
Actionable comments posted: 0 |
This keeps the
/ok-to-testfork path unprivileged, but makes that intent explicit in the reusable workflow instead of relying on implicit permission loss and step-level soft degradation.Context:
/ok-to-testchecks out a fork PR head SHA and then runs local actions from that checkout.ok-to-test.yaml.What changed:
privileged_ciinput toqualification.yamlwith a default oftruecli-e2eandsecurity-scanwhenprivileged_ciisfalseprivileged_ci: falseinok-to-test.yamlsecurity-scanunder the unprivileged fork path is intentional so fork-derived SARIF is never uploaded under the base repo identityWhy this is better than the minimum-diff fix alone:
/ok-to-testcall site now says what it meanscli-e2eandsecurity-scanare cleanly skipped instead of half-degrading underissue_commentcontextqualification.yamlValidation:
actionlint -color -shellcheck= .github/workflows/qualification.yaml .github/workflows/ok-to-test.yamlYAML.load_fileparse of both edited workflow files