mirror of https://github.com/go-gitea/gitea.git
edf98a2dc3
Currently, Gitea will run actions automatically which are triggered by fork pull request. It's a security risk, people can create a PR and modify the workflow yamls to execute a malicious script. So we should require approval for first-time contributors, which is the default strategy of a public repo on GitHub, see [Approving workflow runs from public forks](https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks). Current strategy: - don't need approval if it's not a fork PR; - always need approval if the user is restricted; - don't need approval if the user can write; - don't need approval if the user has been approved before; - otherwise, need approval. https://user-images.githubusercontent.com/9418365/217207121-badf50a8-826c-4425-bef1-d82d1979bc81.mov GitHub has an option for that, you can see that at `/<owner>/<repo>/settings/actions`, and we can support that later. <img width="835" alt="image" src="https://user-images.githubusercontent.com/9418365/217199990-2967e68b-e693-4e59-8186-ab33a1314a16.png"> --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
---|---|---|
.. | ||
TRANSLATORS | ||
locale_bg-BG.ini | ||
locale_cs-CZ.ini | ||
locale_de-DE.ini | ||
locale_el-GR.ini | ||
locale_en-US.ini | ||
locale_es-ES.ini | ||
locale_fa-IR.ini | ||
locale_fi-FI.ini | ||
locale_fr-FR.ini | ||
locale_hu-HU.ini | ||
locale_id-ID.ini | ||
locale_is-IS.ini | ||
locale_it-IT.ini | ||
locale_ja-JP.ini | ||
locale_ko-KR.ini | ||
locale_lv-LV.ini | ||
locale_ml-IN.ini | ||
locale_nl-NL.ini | ||
locale_pl-PL.ini | ||
locale_pt-BR.ini | ||
locale_pt-PT.ini | ||
locale_ru-RU.ini | ||
locale_si-LK.ini | ||
locale_sk-SK.ini | ||
locale_sv-SE.ini | ||
locale_tr-TR.ini | ||
locale_uk-UA.ini | ||
locale_zh-CN.ini | ||
locale_zh-HK.ini | ||
locale_zh-TW.ini |