Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
avoid race condition between scdiff comment and fetching PR head sha
There is a small window after leaving an scdiff comment, where the workflow queues then sends an API request to determine the PR head SHA. An attacker could use this time to push new code that wasn't reviewed. This change attempts to ensure the code that runs is older than the code the requester saw when leaving the scdiff comment. Both timestamps used are controlled by GitHub, not a user controlled timestamp. There may be some false positives, as `repo.pushed_at` corresponds to all repo activiy, not just the branch used for the PR. This risk is acceptable as it's better to be safe; we can always re-run the workflow. Signed-off-by: Spencer Schrock <[email protected]>
- Loading branch information