tangled.org / core
Monorepo for Tangled tangled.org
fork atom

Run PR pipeline from non collaborators #338

open
opened by boltless.me

currently, knot's JetstreamClient only listens for known DIDs which are:

  • knot owner
  • new knot members added by knot owner
  • new collaborators for repos using this knot

In most cases, this is fine and efficient because knot member is basically an invite-only relationship.

knot owner (source, root knot member)
    |
    v
repo owners (invited knot members)
    |
    v
repo collaborators (known DIDs mentioned by existing knot members)

The problem occurs when we ingesting sh.tangled.repo.pull records.1
If anonymous user creates a PR, that PR submission won't trigger the pipeline.

It's pretty hard to solve this with jetstream, but tap can help this kind of partial network backfill.

Also related: #335

  1. Currently, knot is ingesting PR creations. We will move this logic to spindle in near future. See #320.ย โ†ฉ๏ธŽ

oppi.li

If anonymous user creates a PR, that PR submission won't trigger the pipeline.

this is intentional, the way pipelines will work for non-collaborators (in my head) is like so:

  • a non-collaborator opens a PR via fork
  • a collaborator manually approves that round for pipeline execution
  • the pipeline is executed via manual trigger
  • repeat for new rounds

i don't think github-style approve-once-for-this-PR is a safe model (the PR could evolve to exfiltrate secrets). executions of pipelines on forks should also warn when the patch is modifying .tangled/workflows and request that the user triple-check the diff before execution.

boltless.me (author)

Automatic workflow for anonymous PRs like test or format check is pretty useful to give quick automatic review to the PR. It's on author to define sensitive workflows only run on safe condition.

so there can be two execution models:

  • workflow run on condition (new PR, potential minimum approve count requirement)
  • workflow run manually from pipeline page

Also we can simply use latest workflow definition in target branch for new PRs and don't run workflows defined inside the PR at all.

sign up or login to add to the discussion
Labels

None yet.

area
spindle
assignee
boltless.me
Participants 2
AT URI
at://did:plc:xasnlahkri4ewmbuzly2rlc5/sh.tangled.repo.issue/3maazutr2g322