search

zooniverse / pfe-lab

Project and Organization management functions for PFE
https://lab.zooniverse.org/
Apache License 2.0
0 stars 5 forks source link

[Security] The Node build has access to our Azure secrets #263

Closed eatyourgreens closed 2 years ago

eatyourgreens commented 2 years ago

Azure secrets here are available to npm ci and the build, but they're only needed during the deploy step. https://github.com/zooniverse/pfe-lab/blob/2f097d8093983488492d49ed20de9b58815b0bd2/.github/workflows/deploy_branch.yml#L21-L29

See PFE for an example of workflows which keep the build and deploy jobs seperate, with Azure secrets only passed to the deploy job.

eatyourgreens commented 2 years ago

The danger here is that we don't want to expose secrets to package post-install scripts (eg. node-sass post-install builds), if we don't have to.

eatyourgreens commented 2 years ago

This issue probably affects a few of our repo's.

mcbouslog commented 2 years ago

Per #264:

Use the shared workflows. See them here: https://github.com/zooniverse/ci-cd/tree/main/.github/workflows

And an example: https://github.com/zooniverse/pandora/blob/master/.github/workflows/deploy_production.yml