Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: secure tokens #276

Merged
merged 11 commits into from
Aug 18, 2023
Merged

chore: secure tokens #276

merged 11 commits into from
Aug 18, 2023

Conversation

chrisba11
Copy link
Contributor

@chrisba11 chrisba11 commented Aug 16, 2023
edited
Loading

This splits the secureliCI.yml workflow into a "Build & Test" workflow that runs on every push to any branch other than main and a "Publish" workflow that only runs on push to main. The Publish workflow will fall use the Build & Test workflow, so those jobs will run prior to releasing/publishing changes.

The primary focus of this is to stop using an org secret to house the GH App private key, so it is only accessible by workflows that use the publish environment, which is where the new environment secret exists that houses the private key. This keeps contributors from being able to modify a workflow to allow it to run code that will expose the contents of a secret. Now, any workflow attempting to use the Actions Helper GH App token must use the publish environment, which is only available from the main branch.

Resolves #275

github-actions[bot]
github-actions bot previously requested changes Aug 16, 2023
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR title failed to match (chore|style|test|feat|fix|docs): .+

@chrisba11 chrisba11 changed the title ci: secure tokens chore: secure tokens Aug 16, 2023
@github-actions github-actions bot dismissed their stale review August 16, 2023 22:42

All good!

@chrisba11 chrisba11 merged commit 896bf6f into main Aug 18, 2023
@chrisba11 chrisba11 deleted the feature/secureli-275-secure-tokens branch August 18, 2023 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calebtonn calebtonn calebtonn approved these changes

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure tokens so they cannot be printed to Actions console output by any user with access to run GH Actions.
2 participants
@chrisba11 @calebtonn