mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-09 19:13:26 +03:00
6720d25429
By consistently checking out nixpkgs into the same location in every workflow, it's easier to reason about the different workflows at once. We also use crystal-clear names to make clear, which checkouts are considered trusted, because they only contain target-branch-code and which checkouts are untrusted, because they contain code from the head branch. By naming the checkout directories trusted/untrusted, it's obvious at the call-site. One example of where we likely did the wrong thing is the nixpkgs-vet workflow: Fetching the toolVersion from the untrusted checkout opens the door for an injection into the download URL, thus code could be downloaded from anywhere. This is not a problem, because this workflow does not run with elevated privileges, but it's a scary oversight nonetheless. |
||
|---|---|---|
| .. | ||
| actions/get-merge-commit | ||
| ISSUE_TEMPLATE | ||
| workflows | ||
| dependabot.yml | ||
| ISSUE_TEMPLATE.md | ||
| labeler-development-branches.yml | ||
| labeler-no-sync.yml | ||
| labeler.yml | ||
| PULL_REQUEST_TEMPLATE.md | ||
| STALE-BOT.md | ||
| stale.yml | ||