rgaudin
commented
4 days ago Indeed!
For use cases where there's more to protect than coverage upload, we use github deployments with validations (to be seen in kiwix/apple)
Open benoit74 opened 4 days ago
rgaudin
commented
4 days ago Indeed!
For use cases where there's more to protect than coverage upload, we use github deployments with validations (to be seen in kiwix/apple)
Currently, test CI is using the
pull_requesttrigger. However, with this trigger the secrets are not populated when the PR author is external to the repository.This is done on purpose for security reasons: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Many persons on the internet suggest to use
pull_request_target, but according to a rapid oversight of github securitylab article, this is only a workaround with does not help with security at all.The proper solution seems to separate the workflow in two:
Seems pretty simple to implement, but to be confirmed (I skimmed through github article way too fast) and tested of course.