f4cbbe6429
In the workflow Code Checks, we use the event pull_request_target which has write permission to enable the actions to comment on our PRs. We should be careful with the write permission and must forbid from running any user code. The previous PR #24761 tried its best to achieve this goal. However, there is a scenario lacking of consideration (See #26494). #26494 attacks the workflow by git submodule way. This PR fixes this scenario by checkouting the external action explicitly in the workflow.
27 lines
1.1 KiB
Plaintext
27 lines
1.1 KiB
Plaintext
[submodule ".github/actions/label-when-approved-action"]
|
|
path = .github/actions/label-when-approved-action
|
|
url = https://github.com/TobKed/label-when-approved-action
|
|
[submodule ".github/actions/get-workflow-origin"]
|
|
path = .github/actions/get-workflow-origin
|
|
url = https://github.com/potiuk/get-workflow-origin.git
|
|
[submodule ".github/actions/setup-maven"]
|
|
path = .github/actions/setup-maven
|
|
url = https://github.com/stCarolas/setup-maven.git
|
|
[submodule ".github/actions/paths-filter"]
|
|
path = .github/actions/paths-filter
|
|
url = https://github.com/dorny/paths-filter
|
|
[submodule ".github/actions/action-pr-title"]
|
|
path = .github/actions/action-pr-title
|
|
url = https://github.com/deepakputhraya/action-pr-title.git
|
|
[submodule ".github/actions/ccache-action"]
|
|
path = .github/actions/ccache-action
|
|
url = https://github.com/hendrikmuhs/ccache-action
|
|
[submodule "be/src/apache-orc"]
|
|
path = be/src/apache-orc
|
|
url = https://github.com/apache/doris-thirdparty.git
|
|
branch = orc
|
|
[submodule "be/src/clucene"]
|
|
path = be/src/clucene
|
|
url = https://github.com/apache/doris-thirdparty.git
|
|
branch = clucene
|