Workflow for PR run checks to manage secret usage #71
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Hinton
reviewed
Mar 4, 2024
Hinton
reviewed
Mar 5, 2024
Hinton
reviewed
Mar 8, 2024
.github/workflows/scan.yml
Outdated
| @@ -8,24 +8,33 @@ on: | |||
| - "rc" | |||
| - "hotfix-rc" | |||
| pull_request: | |||
There was a problem hiding this comment.
I don't believe we need pull_request, target should run on both forks and local PRs just in a different context https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
There was a problem hiding this comment.
Based on my testing it didn't work, but I'll remove that for the moment and we merge to see what really happens.
joseph-flinn
approved these changes
Mar 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
Internal change.
📔 Objective
See https://michaelheap.com/access-secrets-from-forks/ for background. This provides a
check-run.ymlreusable workflow that becomes aneedfor the two new scanning workflows that use secrets. When invoked by non-members of the organization, the check workflow will fail and short-circuit the scanners, therefore not failing on secret access. A member can then review the change for safety and manually run the workflows that failed or were skipped. This can serve as a pattern across all our repos that use secrets in workflows and we better collaborate with external contributors.⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes