adonis0147 opened a new pull request, #24761: URL: https://github.com/apache/doris/pull/24761
## Proposed changes ~~Issue Number: close #xxx~~ The workflow `Code Checks` needs write permissions granted by the event `pull_request_target` to comment on pull requests. However, if the workflow runs users' code, the malicious code would do some dangerous action on our repository. The following changes are made in this PR: 1. Instead of applying patches, we use `sed` to modify the `entrypoint.sh` in action-sh-checker explicitly in the workflow. 2. Revoke the write permissions when generating `compile_commands.json` which is produced by executing the build script `build.sh`. ## Further comments If this is a relatively large or complex change, kick off the discussion at [d...@doris.apache.org](mailto:d...@doris.apache.org) by explaining why you chose the solution you did and what alternatives you considered, etc... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org For additional commands, e-mail: commits-h...@doris.apache.org
