Closed Malax closed 1 year ago
Closing for now since the manual trigger doesn't work for external PRs (from humans) yet. I think we can write something that works for those as well, but this isn't a priority task right now. We'll workaround for @dependabot by using dependabot secrets.
Adds
workflow_dispatch
as a trigger for theci
workflow.When an outside collaborator opens a PR, that PR will run without any secrets present causing the Hatchet jobs to fail. This is good from a security standpoint, but to move forward with a PR, we want to verify that CI passes. Branch protection rules wouldn't allow to merge the PR with failed jobs anyway. This affects @dependabot as well.
By allowing a manual dispatch, the job will be run with the permissions of the person initiating the manual dispatch. After inspecting the PR for secret exfiltration and the like, maintainers can move forward with a PR from an outside collaborator. It is important to note that triggering a re-run of the failed workflow as an actor with elevated permissions will not change the permissions for that re-run as stated in the docs:
If would also be possible to work around this issue for @dependabot by using a conditional workflow just for @dependabot with the
pull_request_target
trigger. I opted not to do that since this doesn't fix the issue when outside (human) collaborators open a PR. If we want to simplify @dependabot PRs specifically, we can duplicate the required secrets to the @dependabot secrets which will be available in the workflow (ref). This can be done outside of this PR.Refs: