Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

  > I'm not sure how this could exploited by just making a PR, unless you for some reason have secrets enabled for builds by unknown contributors
In this context the renovate bot would be making the PR to a repo it had been installed on, making it a trusted contributor able to trigger CI builds on its PRs.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: