search

getsentry / sentry-react-native

Official Sentry SDK for React Native
https://sentry.io
MIT License
1.56k stars 330 forks source link

Add GH Action to warn devs about `sentryAuthToken` changes #3683

Open krystofwoldrich opened 5 months ago

krystofwoldrich commented 5 months ago

Description

To prevent https://github.com/getsentry/sentry-react-native/security/advisories/GHSA-68c2-4mpx-qh95 in the future, we can add a GitHub Action which will add a warning to a PR when changes related to handling sentry auth token are included.

Impl can be a simple string search for sentryAuthToken, SENTRY_AUTH_TOKEN, and similar.

krystofwoldrich commented 5 months ago

This warning should not be triggered for changes in GH actions yml files.

lucas-zimerman commented 1 month ago

This may be closed once https://github.com/getsentry/.github/issues/134 is fixed

krystofwoldrich commented 1 month ago

This GH Issue is about adding a warning like https://github.com/getsentry/sentry-cocoa/pull/4091#issuecomment-2180159176

Screenshot 2024-07-12 at 15 24 11

For example changes in https://github.com/getsentry/sentry-react-native/blob/9d86532d68474e40b8d0c346799236ab466c0cb7/plugin/src/withSentry.ts related to the authToken variable should trigger such a warning.