🧹 Enable dependabot PRs #556
Conversation
.github/workflows/tests.yaml
Outdated
| with: | ||
| service-account-credentials: ${{ secrets.MONDOO_CLIENT }} | ||
| path: "mondoo-operator-manifests.yaml" | ||
| secrets: inherit | ||
| integration-tests: | ||
| needs: [unit-tests] | ||
| uses: ./.github/workflows/integration-tests.yaml |
There was a problem hiding this comment.
Do we know for sure this works? I think with this setup we will have the same issue with the secrets not being present
There was a problem hiding this comment.
I'm not sure.
According to the docs, the workflow_call jobs have access to secrets. But I'm not sure what in this combination the secrets: inherit does. I couldn't find anything about this combination. In case this does not work, we can call the integration-tests and security-tests differently and try that.
For testing the secrets, I wanted to recreate this dependabot PR: #554
There was a problem hiding this comment.
I am almost certain that this won't change anything. If you use secrets: inherit, it means the child workflow is getting the secrets from the parent workflow. If the tests are running from a fork or for a dependabot branch, they have no access to the secrets. The integration tests won't have access either.
There was a problem hiding this comment.
I switched to pull_request_target + checkout head. Now the jobs have access to the secrets.
But this also means we trust dependabot because the Jobs are now running with the code of the PR.
|
I changed this PR to only allow dependabot. We'll give the Settings described in #553 a try. |
czunker
force-pushed
the
christian/allow_fork_prs
branch
from
20d0597 to
3d96126
Compare
|
So, next take on this problem. According to the docs:
|
.github/workflows/tests.yaml
Outdated
| @@ -11,9 +11,13 @@ on: | |||
| jobs: | |||
| unit-tests: | |||
| runs-on: ubuntu-latest | |||
| if: github.actor == 'dependabot[bot]' || !github.event.pull_request_target.head.repo.fork | |||
There was a problem hiding this comment.
When we remove this line, even fork PRs should work. We could handle their approval with GitHub security settings as mentioned in #553 (comment)
There was a problem hiding this comment.
We would block the workflows from running via the approvals/tags on the PR then?
There was a problem hiding this comment.
Yes.
@benr has activated the security settings mentioned in the comment. I understand we would see an approval button for dependabot PRs and fork PRs when this line is gone.
Fixes #553 Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
Because of: Error: reusable workflows are currently not supported (see nektos/act#826 for updates) Act does not support our workflow structure Signed-off-by: Christian Zunker <christian@mondoo.com>
Signed-off-by: Christian Zunker <christian@mondoo.com>
czunker
force-pushed
the
christian/allow_fork_prs
branch
from
3fa8b47 to
009e747
Compare
Signed-off-by: Christian Zunker christian@mondoo.com