chore: Fixing non-propagated custom GH token in forked PRs #134
Conversation
heyvister1
force-pushed
the
fix-non-propagated-gh-token
branch
from
6c986c3 to
c911071
Compare
heyvister1
changed the title
heyvister1
changed the title
heyvister1
force-pushed
the
fix-non-propagated-gh-token
branch
from
c911071 to
859e91e
Compare
|
What happens if some one creates a PR to this action with a script to exfiltrate the token before the check runs? |
He needs to gain GH_TOKEN first, but he should be blocked on the first step which checks his membership |
.github/workflows/docs-ci.yaml
Outdated
| response=$(curl -H "Authorization: Bearer $GH_TOKEN" \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| "https://api.github.com/orgs/Mellanox/teams/cloud-orchestration/members/$ACTOR") | ||
|
|
||
| if [[ $(echo "$response" | jq -r '.message') == "Not Found" ]]; then |
There was a problem hiding this comment.
Does the GH API return an appropriate status code (404?) if the actor is not part of the organization?
If so, this could be shortened to if curl -f ... ; then?
What if I create an MR which changes that first step? |
So this is not only related to my PR change, if anyone can create its own workflow file which will be engaged in PR then we're in a bad shape. |
The current trigger configuration doesn't trigger on PRs, so shouldn't this not be a problem? And either way - we can configure the repository (Settings -> Actions -> General -> Approval for running fork pull request workflows from contributors to Require approval for all external contributors. |
.github/workflows/docs-ci.yaml
Outdated
| runs-on: ubuntu-latest | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN_NVIDIA_CI_CD }} | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN }} |
There was a problem hiding this comment.
is it GITHUB_TOKEN ?
There was a problem hiding this comment.
need to make sure the GITHUB_TOKEN used in network-operator is sufficient.
.github/workflows/docs-ci.yaml
Outdated
| @@ -27,10 +31,24 @@ jobs: | |||
| PR_NUMBER: ${{ github.event.number }} | |||
| PR_TITLE_PREFIX: "task: update documentation for" | |||
| steps: | |||
| - name: Check if PR actor is part of team | |||
There was a problem hiding this comment.
i dont think this is needed.
this workflow is only triggered by other workflows not PRs.
the other workflow needs to have the needed ppermissions in order to trigger workflow in this repo.
currently only members of Mellanox org can trigger workflows for this project (i just modfied this in setting)
A new step has been added to verify that actor is a member of Mellanox/cloud-orchestration team
heyvister1
force-pushed
the
fix-non-propagated-gh-token
branch
from
859e91e to
1f0bd13
Compare
.github/workflows/docs-ci.yaml
Outdated
| runs-on: ubuntu-latest | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN_NVIDIA_CI_CD }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
are we using this env var in the job ?
There was a problem hiding this comment.
@adrianchiris see my comment from the original line 33 in this file:
# token must be explicitly set here for push to work in following step
@heyvister1 , although you renamed the secret variable (in line 33) - perhaps it's worth preserving the comment (unless you tested that after your change the token no longer needs to be explicitly set?).
… contributers from triggering workflows
heyvister1
force-pushed
the
fix-non-propagated-gh-token
branch
from
1f0bd13 to
7145c22
Compare
| @@ -65,7 +65,8 @@ jobs: | |||
| run: | | |||
| git config user.name nvidia-ci-cd | |||
| git config user.email [email protected] | |||
| gh repo fork --remote --default-branch-only | |||
There was a problem hiding this comment.
No need to fork docs repo, since there is already an existing fork for nvidia-ci-cd user
Since custom GH secrets are not propagated for forked repos, we need a way to have GH token to generate docs repo PRs under network-operator repo.
Solution:
GH_DOCS_TOKENPAT token fornvidia-ci-cduser