Open
Description
Currently, test CI is using the pull_request
trigger. However, with this trigger the secrets are not populated when the PR author is external to the repository.
This is done on purpose for security reasons: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Many persons on the internet suggest to use pull_request_target
, but according to a rapid oversight of github securitylab article, this is only a workaround with does not help with security at all.
The proper solution seems to separate the workflow in two:
- existing workflow will only publish the coverage.xml as an artifact
- a new workflow will be responsible to publish this coverage.xml
Seems pretty simple to implement, but to be confirmed (I skimmed through github article way too fast) and tested of course.