Open tbouffard opened 2 months ago
Work done with @benjaminParisel
All tests have been done in the https://github.com/process-analytics/github-actions-playground/ repository with a fake site.
Experiment a solution with 2 steps as described in https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
This custom implementation has been tested in a PR created from a fork repo, see https://github.com/process-analytics/github-actions-playground/pull/349. It has also been tested with PR created from the target repository, see https://github.com/process-analytics/github-actions-playground/pull/350.
We have check that the teardown could be managed in a specific workflow like in https://github.com/process-analytics/github-actions-playground/pull/351
A contribution has been proposed to the official surge-preview action https://github.com/afc163/surge-preview/pull/294 which is based on our experiment.
To have a fully working solution
surge-preview-tools
(in the bonitasoft/actions repo) action to make it support workflow_run to get the PR number (same implementation as in the proposed fix) (see https://github.com/bonitasoft/actions/pull/131)labs
): https://github.com/bonitasoft/bonita-labs-doc/pull/159 + test with https://github.com/bonitasoft/bonita-labs-doc/pull/160
ℹ️ Part of a top-level initiative: #670
Currently, the preview is built and only attached as an artifact of the GH Actions run. It is not deployed to surge, so there is no live environment available. Be also aware of #402.
Current limitations
Resources
Possible solutions
Investigations
See https://github.com/bonitasoft/bonita-documentation-site/issues/686#issuecomment-2066683375. It also includes next steps.