Enable dependency-submission on same-repo pull requests#882
Enable dependency-submission on same-repo pull requests#882antoniojimeneznieto wants to merge 2 commits intotypelevel:mainfrom
Conversation
| val sameRepoPrCond = | ||
| "github.event.pull_request.head.repo.full_name == github.repository" |
There was a problem hiding this comment.
Could we use tlCiForkCondition for this, or is it checking something different? 🤔
There was a problem hiding this comment.
Oh sorry, dumb question, i see it's something different 🤔
There was a problem hiding this comment.
If I've got all of this right (which might not be the case 😅), the idea is to run the vulnerability detection job on PRs from the same repo so Scala Steward or a maintainer's branch which works because those PRs run with a token that can be granted contents: write.
However, it won't work for PRs from a contributor's fork, because the Submission API requires contents: write, and PRs from forks always run with a read-only token.
The sameRepoPrCond condition is checking this.
There was a problem hiding this comment.
Sorry, I'm still confused 😅
the idea is to run the vulnerability detection job on PRs from the same repo
However, it won't work for PRs from a contributor's fork
That makes sense. Isn't this equivalent to checking if CI is running on a fork? Which is what tlCiForkCondition represents.
There was a problem hiding this comment.
I think that tlCiForkCondition doesn't cover the case where a fork PR runs on the original repo's CI 🤔
There was a problem hiding this comment.
Oh I see, I think you are right! PR runs CI in the original repo, but without the write permissions. So confusing 😅 thanks for clarifying :)
2 participants
The dependency-submission job currently only runs on push, so vulnerabilities are only detected after merge. This PR enables it for same-repo PRs too, so projects can catch vulnerable dependencies before merging.
Fork PRs are still excluded because their read-only token can't call the Submission API.
Refs: #340, #342