Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Python: Secure Python test coverage workflow (#9961)
### Motivation and Context <!-- Thank you for your contribution to the semantic-kernel repo! Please help reviewers and future users, providing the following information: 1. Why is this change required? 2. What problem does it solve? 3. What scenario does it contribute to? 4. If it fixes an open issue, please link to the issue here. --> The Python test coverage workflow needs to post comments of coverage results on PRs, which requires the proper permissions. By default, PRs from forks don't have the required permissions if the workflow is triggered by the `pull_request` event. However, one can use the `pull_request_target` event as the trigger and check out the code from the PR for test coverage. This approach posts various security risks as it gives the code from the PR full access to the repository secrets. ### Description <!-- Describe your changes, the overall approach, the underlying design. These notes will help understanding how your code works. Thanks! --> It's recommended to use a two-stage approach for this kind of scenarios: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ In this PR, 1. a new workflow is created named `python-test-coverage-report`. This workflow is given the proper permissions to post the coverage report in the PR comments by using the `workflow_run` trigger. This trigger ensures the workflow is run on the context of the default branch. 2. the existing workflow `python-test-coverage` is updated such that it only runs the unit tests and doesn't have the permissions to post the coverage report in the PR comments. ### Contribution Checklist <!-- Before submitting this PR, please make sure: --> - [x] The code builds clean without any errors or warnings - [x] The PR follows the [SK Contribution Guidelines](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md) and the [pre-submission formatting script](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md#development-scripts) raises no violations - [x] All unit tests pass, and I have added new tests where possible - [x] I didn't break anyone 😄
- Loading branch information