Skip to content

Updated the pre flight check yml file#287

Open
sudeeshna21 wants to merge 1 commit intoqualcomm:qualcomm-softwarefrom
sudeeshna21:preflight_check
Open

Updated the pre flight check yml file#287
sudeeshna21 wants to merge 1 commit intoqualcomm:qualcomm-softwarefrom
sudeeshna21:preflight_check

Conversation

@sudeeshna21
Copy link
Copy Markdown

@sudeeshna21 sudeeshna21 commented Mar 26, 2026

Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities. These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets.

https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target

We should update all usage of pull_request_target in all workflow files and also update qualcomm-preflight-check to the latest.

@sudeeshna21 sudeeshna21 requested a review from njjetha March 26, 2026 05:22
@sudeeshna21
Updated the pre flight check yml file
9e875a9 
Signed-off-by: sudeeshn <sudeeshn@qti.qualcomm.com>
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Mar 26, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

mynameistechno
mynameistechno approved these changes Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@mynameistechno mynameistechno left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please merge

jonathonpenix
jonathonpenix requested changes Mar 30, 2026
View reviewed changes
.github/workflows/qcom-preflight-checks.yml

jobs:
qcom-preflight-checks:
if: github.repository == 'qualcomm/cpullvm-toolchain'
Copy link
Copy Markdown
Contributor

@jonathonpenix jonathonpenix Mar 30, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this should be removed--please either re-add this or explain why it isn't needed anymore (ex: if it is expected to work on forks out-of-the-box now, etc.)

Copy link
Copy Markdown

@mynameistechno mynameistechno Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should work on forks - not sure why that was originally there

Copy link
Copy Markdown
Contributor

@jonathonpenix jonathonpenix Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was added as one of the checks (semgrep? something else? I forget) required additional security permissions that require extra setup (and generally getting notifications about failed runs in forks is just noise when it is coming out of the main repo).

Copy link
Copy Markdown

@mynameistechno mynameistechno Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it was because the past workflow required an org level secret. We've removed that requirement

Copy link
Copy Markdown
Contributor

@jonathonpenix jonathonpenix Mar 31, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is/was some Advanced Security/Dependency Graph setting: #23

Copy link
Copy Markdown

@mynameistechno mynameistechno Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, yeah that is annoying. We added a check that skips the dep review if it's not enabled https://github.com/qualcomm/qcom-reusable-workflows/blob/main/.github/workflows/reusable-dependency-review.yml#L10

njjetha
njjetha approved these changes Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@njjetha njjetha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mynameistechno mynameistechno mynameistechno approved these changes

@jonathonpenix jonathonpenix jonathonpenix requested changes

@njjetha njjetha njjetha approved these changes

@apazos apazos Awaiting requested review from apazos

@navaneethshan navaneethshan Awaiting requested review from navaneethshan

Requested changes must be addressed to merge this pull request.

Assignees

@mynameistechno mynameistechno

@sudeeshna21 sudeeshna21

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@sudeeshna21 @github-advanced-security @mynameistechno @njjetha @jonathonpenix