go-tfe icon indicating copy to clipboard operation
go-tfe copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Update workflow to include pull_request_target

Open annawinkler opened this issue 2 years ago • 4 comments

Description

Add pull_request_target to the ci workflow so forks from this repository will also be able to run the ci integration tests.

Testing plan

  1. We could create a fork from this branch and see if the tests run.
  2. Do we tests workflows any other way? (I was reading about act

External links

Output from tests

Including output from tests may require access to a TFE instance. Ignore this section if you have no environment to test against.

$ TFE_ADDRESS="https://example" TFE_TOKEN="example" TF_ACC="1" go test ./... -v -tags=integration -run TestFunctionsAffectedByChange

...

Feels gif

annawinkler avatar Aug 17 '22 18:08 annawinkler

I'm not seeing the test workflow running though 🤔

annawinkler avatar Aug 17 '22 19:08 annawinkler

Re-reading through the docs, it looks like there is no way a fork can access Github secrets (I assumed manual approval would be sufficient). I think our solution here is to either create a local branch with the fork's changes manually or introduce some automated way to do it.

sebasslash avatar Aug 17 '22 19:08 sebasslash

Re-reading through the docs, it looks like there is no way a fork can access Github secrets (I assumed manual approval would be sufficient). I think our solution here is to either create a local branch with the fork's changes manually or introduce some automated way to do it.

Hm... It sounded like we could based on this post 🤔

annawinkler avatar Aug 17 '22 20:08 annawinkler

My understanding is pull_request_target was introduced because the pull_request event prevents write permissions and secrets access to the target repository. Thus, workflows triggered via pull_request_target have write permissions to the target repository. Additionally, workflows triggered by pull_request_target events are run in the context of the base branch, and the base branch is considered trusted, so those workflows will always run.

On the contrary, I've come across a few warnings regarding the pull_request_target event.

Security Lab @ GitHub noted:

You may ask yourself: if the pull_request_target workflow only checks out and builds the 
PR, i.e. runs untrusted code but doesn’t reference any secrets, is it still vulnerable?

Yes it is, because a workflow triggered on pull_request_target still has the read/write repository 
token in memory that is potentially available to any running program.

laurenolivia avatar Aug 29 '22 20:08 laurenolivia

Closing because we're still working on ideas.

annawinkler avatar Oct 19 '22 18:10 annawinkler