I think this proposal will benefit all the work that require updates to dependencies. @masahi @Leo-arm @elenkalda-arm
I would suggest lets scope scripts that is relevant to this proposal (as it seems there are already other places the attackers could exploit anyway) . Isn’t it just build.sh that we need to checkout from the main ?
make sure scripts run outside of docker are checked out from the target branch and not the PR branch for forked PRs (similar to how we manage the
Jenkinsfilenow).
I think this approach should address the concern, @driazati I can understand not being able to test things out in the upstream CI, however, how much of a concern is that related to the scripts in question (Im thinking it is just build.sh, but maybe I am wrong) here ?
We could take this further and only rebuild docker images on branches, which would still make testing / updating easier without the risks.
I am not sure I follow this proposal. Can you elaborate ?
cc : @areusch