Skip to content

chore: Remove pr_comment GitHub actions workflow #255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kou merged 1 commit into from
Feb 3, 2026
Merged

chore: Remove pr_comment GitHub actions workflow #255

kou merged 1 commit into from
Feb 3, 2026

Conversation

@adamreeve
Copy link
Contributor

@adamreeve adamreeve commented Feb 3, 2026

This uses the pull_request_target trigger, which goes against the ASF GitHub Actions Policy.

From reading https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/, my understanding is that we're using pull_request_target correctly here by not checking out untrusted code. We need to use this target instead of pull_request to have permission to comment on the PR.

The ASF automated check seems too strict to me, but I'm not sure it's worth the hassle to challenge this and we can work without this workflow.

Maybe as an alternative, we could add something to the pull request template that's commented out by default but users can uncomment and edit if they're making documentation changes? I can add that in a follow-up PR.

cc @kou

@adamreeve adamreeve requested a review from kou February 3, 2026 02:09
kou
kou approved these changes Feb 3, 2026
View reviewed changes
Copy link
Member

@kou kou left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

I agree with you. We design this workflow carefully to not use actions/checkout. So this usage is safe. But let's remove this to follow the ASF policy.

@kou kou merged commit 12fce23 into apache:main Feb 3, 2026
14 checks passed
@adamreeve adamreeve deleted the remove-pr-comment branch February 3, 2026 02:39
@adamreeve adamreeve mentioned this pull request Feb 3, 2026
Closed
@kou kou mentioned this pull request Feb 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kou kou kou approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamreeve @kou