accounts icon indicating copy to clipboard operation
accounts copied to clipboard

Published 20 hours ago verified publisher icon accounts-js

Investigate to integrate jest-github-reporter

Open pradel opened this issue 4 years ago • 1 comments

https://github.com/hipstersmoothie/jest-github-reporter

pradel avatar Sep 19 '19 08:09 pradel

Thanks for opening this issue :)

In order to integrate it into the repo, there is a preparation to make. This app is needed to be installed into the repo.

However, there is a warning with that method. They share the private key used in the checks API. Taken from their source code:

/**
 * Before you say anything I *know* this is horribly insecure.
 *
 * If we were not to to this then every user would have to create
 * their own GitHub App and manage the APP_ID and PRIVATE_KEY through
 * env vars.
 *
 * How could this go wrong? Well this PRIVATE_KEY only creates jwt
 * tokens that work on people who have installed the Jest Results
 * App. If an attacker got ahold of the token they could only read repo
 * metadata and read/write checks. So the attack surface is really only
 * messing with a users checks, which is not too risky.
 */

We can avoid using this method by creating our own github app as stated here. But it will be beneficial only if we can securely handle env vars in circleci (or github actions).

That being said, I don't mind doing the code changes.

ozsay avatar Sep 19 '19 12:09 ozsay