Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Split validation workflow #10

Open
joyeecheung opened this issue Dec 3, 2024 · 5 comments · Fixed by #31
Open

Split validation workflow #10

joyeecheung opened this issue Dec 3, 2024 · 5 comments · Fixed by #31
Labels
good first issue Good for newcomers

Comments

@joyeecheung
Copy link
Member

joyeecheung commented Dec 3, 2024

As mentioned in #5 (comment)

...apparently the secrets are not passed into workflow runs triggered by PRs from forks. So I guess that means we should split the validation into two parts:

  1. If it's triggered by a PR from a branch in this repo (which means it must be from someone who already has write access here), it can invoke additional validation to check the URLs are reachable and valid (which requires access to bluesky secrets).
  2. Otherwise, only local validations are run on the JSON files.

This means:

  1. Split everything below
    const agent = await login(account);
    to a separate file
  2. Splitting https://github.com/nodejs/bluesky/blob/main/.github/workflows/validate.yml into two workflows, one local and one remote. PRs started from a branch in this repo get both run for them, and PRs from forks just run the one that's without the login.
@joyeecheung joyeecheung added the good first issue Good for newcomers label Dec 3, 2024
@Ishan-Jadhav
Copy link

Hi joyeecheung,
Can I work on this issue?

@joyeecheung
Copy link
Member Author

Sure, go ahead please!

@joyeecheung
Copy link
Member Author

Reopened because of #55 - I think for maximum safety, we should still split the validation workflows and only invoke validation that needs secrets for PRs opened from this repo.

joyeecheung added a commit that referenced this issue Jan 9, 2025
See #55 - using pull_request_target would allow the workflow to run without authorization. While there are some code in this workflow to defend against naive attacks e.g. adding scripts to the actions, there could be other attack vectors e.g. via specially crafted branch names or file names that evade GitHub's escape rules. It would be too hard to wrap our head around this, so the easiest way to defend against it would be to restrict full validation that require access to secrets to PRs opened from branches in this repo.

For PRs opened from forks, I think we should go back to what I proposed in #10 - that is, only run local validations that require no access to secrets, and use `pull_request` for it.

cc @aduh95 @nodejs/tsc
joyeecheung added a commit that referenced this issue Jan 9, 2025
See #55 - using pull_request_target would allow the workflow to run without authorization. While there are some code in this workflow to defend against naive attacks e.g. adding scripts to the actions, there could be other attack vectors e.g. via specially crafted branch names or file names that evade GitHub's escape rules. It would be too hard to wrap our head around this, so the easiest way to defend against it would be to restrict full validation that require access to secrets to PRs opened from branches in this repo.

For PRs opened from forks, I think we should go back to what I proposed in #10 - that is, only run local validations that require no access to secrets, and use `pull_request` for it.

cc @aduh95 @nodejs/tsc
@aduh95
Copy link
Contributor

aduh95 commented Jan 9, 2025

Another idea would be to use a Merge Queue; the downside is we can't know there's a failure until we attempt to land the PR – basically, the process would be if a PR looks good enough to a reviewer, they add it to the merge queue (the usual green merge button on GH UI), and either the validation succeeds and the PR is merged, either it fails and the PR stays open.

Ideally we would not handle just the validation from the queue but also the actual processing, I'm not sure if that would work, I guess I can try and see.

@joyeecheung
Copy link
Member Author

I think the only difference in that case is that when it fails the PR stays open? We are already able to do these with our current workflows:

  1. Full validation if it comes from a branch here
  2. Validate and process it once it's merged (it's also validated in process.js, just not going to be done after it's merged, not before it's merged).

This issue only proposes to add one more workflow to perform local validation for branches from forks, I think the merge queue idea would be separate, because using that still doesn't help anything with "at least get some early warning before we push the merge button", which is what this issue tries to address.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants