From 9d22a98050b16f8f6541e9073bf6e33178e8e143 Mon Sep 17 00:00:00 2001 From: Bajczi Levente Date: Mon, 26 Feb 2024 16:44:28 +0100 Subject: [PATCH 1/4] Update sonar.yml --- .github/workflows/sonar.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index 91d9ce713b..f5fe11c2af 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -4,6 +4,8 @@ on: pull_request_target: types: [opened, synchronize, reopened] +permissions: read-all + concurrency: group: sonar-${{ github.head_ref }} cancel-in-progress: true @@ -37,11 +39,12 @@ jobs: with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{ github.event.pull_request.head.repo.full_name }} + persist-credentials: false - name: Analyze in PR env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - if: env.SONAR_TOKEN != '' && github.event_name == 'pull_request_target' + if: env.SONAR_TOKEN != '' && github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'Ready to merge') uses: gradle/gradle-build-action@40b6781dcdec2762ad36556682ac74e31030cfe2 # v2.5.1 with: arguments: build jacocoTestReport sonar --info -Dorg.gradle.jvmargs=-XX:MaxMetaspaceSize=512m -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} From c0f0d41b196a2d5ac752b5462301e5c35bf4ebe4 Mon Sep 17 00:00:00 2001 From: Bajczi Levente Date: Mon, 26 Feb 2024 16:45:48 +0100 Subject: [PATCH 2/4] Update sonar.yml --- .github/workflows/sonar.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index f5fe11c2af..dee829ff69 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -2,7 +2,7 @@ name: Sonar analysis on: push: pull_request_target: - types: [opened, synchronize, reopened] + types: [opened, synchronize, reopened, labeled] permissions: read-all From 006b6fc5de2a99d0fb6302607ccd825a37a27f23 Mon Sep 17 00:00:00 2001 From: Bajczi Levente Date: Mon, 26 Feb 2024 16:46:51 +0100 Subject: [PATCH 3/4] Update sonar.yml --- .github/workflows/sonar.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index dee829ff69..d3a69953b4 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -44,7 +44,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - if: env.SONAR_TOKEN != '' && github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'Ready to merge') + if: env.SONAR_TOKEN != '' && github.event_name == 'pull_request_target' && contains(github.event.pull_request.labels.*.name, 'Ready to test') uses: gradle/gradle-build-action@40b6781dcdec2762ad36556682ac74e31030cfe2 # v2.5.1 with: arguments: build jacocoTestReport sonar --info -Dorg.gradle.jvmargs=-XX:MaxMetaspaceSize=512m -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} From a9d2d7ed1ca64e347b120acd4dea83f2e12dc1fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?M=C3=A1rton=20Elekes?= <17354718+marci543@users.noreply.github.com> Date: Fri, 1 Mar 2024 00:07:54 +0100 Subject: [PATCH 4/4] Add notice to GH workflow --- .github/workflows/sonar.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index d3a69953b4..d6078ecf79 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -4,6 +4,7 @@ on: pull_request_target: types: [opened, synchronize, reopened, labeled] +# Please read https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ before editing this file permissions: read-all concurrency: