aboutsummaryrefslogtreecommitdiff
path: root/options
diff options
context:
space:
mode:
authorJason Song2023-02-24 15:58:49 +0800
committerGitHub2023-02-24 15:58:49 +0800
commitedf98a2dc30956c8e04b778bb7f1ce55c14ba963 (patch)
tree2d8b7708f76a36c27700ab128082bdb976a0753e /options
parenta6175b01d92a75dcbadbbfc6782a486636fd62a2 (diff)
Require approval to run actions for fork pull request (#22803)
Currently, Gitea will run actions automatically which are triggered by fork pull request. It's a security risk, people can create a PR and modify the workflow yamls to execute a malicious script. So we should require approval for first-time contributors, which is the default strategy of a public repo on GitHub, see [Approving workflow runs from public forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks). Current strategy: - don't need approval if it's not a fork PR; - always need approval if the user is restricted; - don't need approval if the user can write; - don't need approval if the user has been approved before; - otherwise, need approval. https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov GitHub has an option for that, you can see that at `/<owner>/<repo>/settings/actions`, and we can support that later. <img width="835" alt="image" src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png"> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Diffstat (limited to 'options')
-rw-r--r--options/locale/locale_en-US.ini2
1 files changed, 2 insertions, 0 deletions
diff --git a/options/locale/locale_en-US.ini b/options/locale/locale_en-US.ini
index df66ce233..fbd306805 100644
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -3346,3 +3346,5 @@ runs.open_tab = %d Open
runs.closed_tab = %d Closed
runs.commit = Commit
runs.pushed_by = Pushed by
+
+need_approval_desc = Need approval to run workflows for fork pull request.