Open CodeGat opened 2 months ago
Just working on the dev-*
branch repro checks and have bumped into a security hole.
The GitHub Environmment that allows us to deploy to Gadi only allows deployment from protected (source) branches (release-, dev- )
This protects us from bad actors modifying the workflow files and opening an (auto-CI-running) PR because they must first get it into `dev-via a pull request (which currently doesn’t access the Gadi Environment). In order to allow Environments (and hence repro) on PRs into
dev-*`, we have three options:
on.pull_request
. So we need a check outside of the file itself.There is a github setting "Fork pull request workflows from outside collaborators" which you can set to " Require approval for all outside collaborators " - I had assumed this would be sufficient ?
Yeah I'm starting to think the above security hole isn't as much of an issue. We lock down who has write
access in our own org, and forks don't have access to upstream environments.
Background
Since the QA checks are run before the Repro checks in
release-*
branches, we might as well add them todev-*
as well. This gives thedev-*
PRs the ability to test reproducibility before opening arelease-*
PR and potentially having to go back and open adev-*
PR again if one gets an unfavourable reproducibility result.Considerations
source
branch rather than thetarget
branch.