Skip to content

Workflow unable to read preview-db secrets #2618

New issue
New issue
Closed
#2619
Closed
Workflow unable to read preview-db secrets#2618
#2619
Assignees
flacial
Labels
bugSomething isn't working
@flacial

Description

@flacial
flacial
opened on Dec 19, 2022

Problem

An event triggers a GitHub action workflow, it could be when a PR is created or closed, a commit has been pushed, or a new release.

In our case, we've the pull_request:closed trigger that start a workflow when a pull request is closed. It doesn't allow write-access to the repo or read-access to the secrets.

Since it prevents reading the secrets, the workflow for updating the preview DB fails because it needs to read the PREVIEW_DB_KEY secret key.

There's another trigger called pull_request_target:closed that allow a PR executed workflow to read the secrets.

Solution

Update the trigger to be pull_request_target.

Security concerns

It's dangerous to use the solution trigger in the build step. To prevent malicious code from being executed when a PR from a fork is created, we should to disallow auto CI/CD execution and thoroughly go over the PR changes to ensure safety.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

C0D3-APP Team Sprints

Status

🦄 Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions