search

CircleCI-Public / orb-tools-orb

Various tools for authoring and publishing CircleCI orbs
https://circleci.com/orbs/registry/orb/circleci/orb-tools
MIT License
50 stars 74 forks source link

False positive result for `trigger-integration-dev` job on PRs from fork #139

Closed jsab closed 1 year ago

jsab commented 2 years ago

Orb version:

10.0 (https://github.com/CircleCI-Public/Orb-Project-Template/blob/e388c329da98fba7ede5f7226b6aacb0b9eec185/.circleci/config.yml#L6)

What happened:

When working on a orb following the Orb-Project-Template, and opening a PR from a fork, the test-pack workflow will succeed including the trigger-integration-dev command. However, the integration-test_deploy workflow will not actually be triggered.

Logs of the last step (Trigger integration test workflow) are as follows:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   138  100    36  100   102    160    453 --:--:-- --:--:-- --:--:--   613
Pipeline triggered!
https://app.circleci.com/jobs/gh/<myOrg>/<myOrb>/null

CircleCI received exit code 0

Note the null at the end of the link.

Expected behavior:

Best case would be to work with forks.

Second best case if not possible would be to fail with a message saying that PR from forks are not supported.

Additional Information:

Feel free to contact me if more details are required.

KyleTryon commented 1 year ago

Hello @jsab, Sorry for the wait here. This is known and unfortunately expected. To publish even a dev version of the orb would require access to your CircleCI Personal Access token for the build. Unfortunately the risk is too great when allowing forked PRs, as their PR could be crafted to expose this token in some way (posting it to an API for instance). Forked PRs are also often abused by crypto miners.

Instead the way we handle this is by cloning the users branch after reviewing it manually, and then pushing the branch to our repo. Because the commit SHA is exactly the same, but the new commit is triggered by you, the build will run properly.

This gives you a way to manually ensure that contributions are not malicious in any way, prior to running tests from outside contributors.

Here is a semi-relevant video on securing your publishing token to ensure outside users could not access it, even if you did allow forked PRs to run (though they would fail at this point). https://www.youtube.com/watch?v=ImPE969yv08