You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to run end-to-end tests, we need to use Azure AD tenant credentials as an external identity provider. The tests will fail without them.
The current approach is to have those credentials added in github repository secrets, reference them in workflows for tests, pass as environment variables to tox and then to tests.
However, this will result in failing tests check when an external contributor opens a PR, since the checks will run without access to those credentials. Merging the PR will therefore be blocked.
This is because contributors outside of owners or maintainers are not able to open a PR from a branch - due to security settings, they are only allowed to open a PR from a forked repository. Those settings are enforced because, with the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. That limitation prevents from secrets leakage - we block unintended usage of our credentials, such as revealing them in logs (github redacts secrets from any output, but that could be bypassed, e.g. by base64 encoding them before printing out).
It is not an issue while the work on the IAM stack is still in progress, but in future we should find a solution for this exception - for example, by allowing to run the tests with custom IdP or contributor-owned credentials instead of our tenant.
The text was updated successfully, but these errors were encountered:
Enhancement Proposal
In order to run end-to-end tests, we need to use Azure AD tenant credentials as an external identity provider. The tests will fail without them.
The current approach is to have those credentials added in github repository secrets, reference them in workflows for tests, pass as environment variables to tox and then to tests.
However, this will result in failing tests check when an external contributor opens a PR, since the checks will run without access to those credentials. Merging the PR will therefore be blocked.
This is because contributors outside of owners or maintainers are not able to open a PR from a branch - due to security settings, they are only allowed to open a PR from a forked repository. Those settings are enforced because, with the exception of
GITHUB_TOKEN
, secrets are not passed to the runner when a workflow is triggered from a forked repository. That limitation prevents from secrets leakage - we block unintended usage of our credentials, such as revealing them in logs (github redacts secrets from any output, but that could be bypassed, e.g. by base64 encoding them before printing out).It is not an issue while the work on the IAM stack is still in progress, but in future we should find a solution for this exception - for example, by allowing to run the tests with custom IdP or contributor-owned credentials instead of our tenant.
The text was updated successfully, but these errors were encountered: