mirror of
https://github.com/shaka-project/shaka-player.git
synced 2026-06-24 17:35:10 +03:00
Joey Parrish
de0f33c262
This workflow, triggerable only by maintainers, had some potential security issues. This is a big refactor, and makes several changes: - Clean up description text (non-critical) - Add granular permissions to set status (without this, the workflow was broken since we changed default permissions) - Split the update-pr job into commit-new-screenshots (unprivileged) and update-pr (privileged as @shaka-bot) The commit-new-screenshots job runs code that the PR author controls, such as "npm ci" (controlled through package.json and package-lock.json), and "./build/updateScreenshots.py" (easily edited to do whatever). These steps could be used to do literally anything, including modify tools in /usr/bin on the workflow VM that are needed by the privileged steps. By moving the privileged steps into a completely separate job, we can ensure a clean slate without worrying about the VM's state. We only transfer the .git/ folder between the two jobs. So the commit-new-screenshots job will create the commit, and the update-pr job will actually push that commit from a clean VM. The job is once again functional, and for the first time, actually safe.