Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds docs for ci:trust script #1408

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adds docs for ci:trust script #1408

wants to merge 1 commit into from

Conversation

trevor-coleman
Copy link
Contributor

@trevor-coleman trevor-coleman commented Jan 18, 2024
edited

This adds a page to the docs on running tests on untrusted forks which explains how the ci:trust script works, and how to use it!

The docs are as follows:

name: Running Tests on Untrusted Forks
sidebar_position: 99

Running CI Scripts on Untrusted Forks

Untrusted forks could contain malicious code to mine cryptocurrency, steal secrets, or otherwise harm the CI server.

For PRs from untrusted forks, to run the CI scripts, we need to:

  1. Review the code to ensure that it is safe to run on the CI server.
  2. If the code is safe, run the ci:trust script to push the commits to a branch on the main repository, where the CI scripts can be run.
  3. Once the tests have run, the status of the PR will be updated automatically (because the commits are the same).

How to run the CI scripts on untrusted forks:

  1. Copy the name of the branch from the PR.
    ci-copy-fork-branch
  2. From your local clone of the main repository, run the ci:trust script. 
    yarn ci:trust <branch-name>
  3. The branch will be pushed and the tests will run
    ci-tests-running

What does ci:trust do?

The ci:trust script does the following:

  1. Adds and fetches the untrusted fork as a temporary remote in your local repository.
  2. Pushes the specific branch from the untrusted fork to a designated temporary branch in your original repository.
  3. Pushing to a local branch triggers the continuous integration (CI) tests on the commits of the branch.
  4. Because the commits are the same, the status of the PR will be updated automatically.

Notes

  1. The ci:trust script will only work if you have write access to the main repository. This prevents malicious users from running the script on the main repository.
  2. The ci:trust script pushes the commits to a branch called temp-branch-to-test-fork.

Warning

The temp-branch-to-test-fork branch will be deleted and recreated if it already exists. This allows the script to
clean up its own temporary branches.

@trevor-coleman trevor-coleman marked this pull request as draft January 18, 2024 16:12
@trevor-coleman trevor-coleman marked this pull request as ready for review January 18, 2024 16:18
@trevor-coleman trevor-coleman mentioned this pull request Jan 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markrickert markrickert markrickert approved these changes

@joshuayoes joshuayoes Awaiting requested review from joshuayoes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@trevor-coleman @markrickert