search

Granola-Team / mina-indexer

The Mina Indexer is a re-imagined version of the software collectively called the "Mina archive node."
Apache License 2.0
19 stars 10 forks source link

Make CI secure against foreign repos #977

Closed robinbb closed 2 months ago

jhult commented 4 months ago

Cross-linking to some helpful info from the mina-block-explorer repo.

robinbb commented 2 months ago

Solution:

  1. Use Buildkite permissions to split CI into multiple tiers (tier-1, tier-2, etc.) for which only select individuals have access to tiers 2 and above.
  2. Only tier-1 is required to successfully merge a PR.
  3. In tier-1 CI machines, there are no credentials required to deploy, etc. So, in case a tier-1 CI machine is abused, only compute resources are lost. (Same as with GitHub Actions, for example.)
  4. Production deployments do not come same machine(s) as tier-1 CI.
  5. Distributed binaries are not built on tier-1 CI.