openmobilehub / android-omh-storage

https://www.openmobilehub.org
Apache License 2.0
4 stars 1 forks source link

Set up Manual Approval for Workflows using GitHub Environments #99

Closed dzuluaga closed 1 month ago

dzuluaga commented 2 months ago

Currently, some workflows, such as APK generation, may require access to secrets like signing keys. Granting write access to external contributors' PRs poses a security risk by potentially exposing sensitive information.

Instead, we should implement manual approval using GitHub Environments to allow PRs to be reviewed before workflows access sensitive data.

Action Items

  1. Create a new environment (e.g., testing) for the repository.
  2. Configure the environment to require manual approval before running workflows triggered by PRs.
  3. Update the GitHub Actions workflows to use the environment for APK generation and other sensitive tasks.
  4. Ensure that secrets are only accessible after the PR has been reviewed and approved.

Resources

Reference

For issues we’ve encountered in the past regarding PR security and secret exposure, see the discussion here: #86 Comment.

Expected Outcome

The repository will be secured by requiring manual approval before workflows using sensitive information are executed on external PRs.

adamTrz commented 1 month ago

Hi @dzuluaga Thanks for the idea of using environments! I guess it could work as intended and solve issues that outside collaborators can have when contributing to OMH repos. I can see we already have testing environment initially created maybe we could work with it? That being said we need all the secrets added to this testing environment and I think you should have them correct? Could you please populate them so I will be able to proceed with the rest of the setup?

adamTrz commented 1 month ago

Or we could go with another approach totally as well

Let's take a step back and consider the issue at hand - outside collaborators cannot access GH Secrets which in turn results in failed CI jobs like in this PR: https://github.com/openmobilehub/android-omh-storage/pull/88

But let me ask a question - maybe we don't need to build *.apk for all opened pull requests? What if we only run Code Quality job for open Pull Requests and do other CI/CD jobs once PR is merged to main branch? And it actually looks like we have similar setup for React Native packages where we only do quality checks and only build apk-s once PR is merged into main.

What do you think @dzuluaga ?

dzuluaga commented 1 month ago

That sounds like a good option, @adamTrz. Since we're not running end-to-end tests, generating APKs for open PRs seems unnecessary. Running Code Quality checks first and doing APK builds only after merging into the main branch, like we do with React Native packages, makes sense to avoid GH Secrets issues.

Thoughts?

adamTrz commented 1 month ago

That sounds like a good option, @adamTrz. Since we're not running end-to-end tests, generating APKs for open PRs seems unnecessary. Running Code Quality checks first and doing APK builds only after merging into the main branch, like we do with React Native packages, makes sense to avoid GH Secrets issues.

Thoughts?

Cool! I'll adjust our repos then! 👌

dzuluaga commented 1 month ago

Thanks, @adamTrz