Agreed that this would be useful. Depending on how this is done, and for which repos, this could introduce security concerns. For example: - a github repo has sensitive processes (e.g. access to taskcluster secrets) that only happen on merge or release tag - the github repo also allows for taskcluster automation on PR, for everyone, not just contributors - a random github user opens a PR that changes .taskcluster.yml so they can access the taskcluster secret and print it out into the log We should probably only allow this type of behavior in certain circumstances, and warn about the possibility of leaking sensitive processes or secrets.
Bug 1539523 Comment 1 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Hm, now that I reread, I think you're asking for the opposite behavior. Sorry :)
original comment:
> Agreed that this would be useful. Depending on how this is done, and for which repos, this could introduce security concerns. For example:
>
> - a github repo has sensitive processes (e.g. access to taskcluster secrets) that only happen on merge or release tag
> - the github repo also allows for taskcluster automation on PR, for everyone, not just contributors
> - a random github user opens a PR that changes .taskcluster.yml so they can access the taskcluster secret and print it out into the log
>
> We should probably only allow this type of behavior in certain circumstances, and warn about the possibility of leaking sensitive processes or secrets.