Use environments to protect CI #1503
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| # SECURITY: Uses environment protection for external PRs instead of unsafe "safe to test" labels. | |
| # Environment protection provides secure manual approval tied to specific commits, | |
| # eliminating race conditions and ensuring maintainer review before secrets access. | |
| on: | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - "**.md" | |
| - ".changeset/**" | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| paths-ignore: | |
| - "**.md" | |
| - ".changeset/**" | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| paths: | |
| - .github/workflows/ci.yml | |
| concurrency: ${{ github.workflow }}--${{ github.ref }} | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| main: | |
| name: Node.js 20 | |
| runs-on: ubuntu-latest | |
| # SECURITY: Use environment protection for external contributors | |
| environment: ${{ github.event.pull_request.head.repo.full_name != github.repository && 'external-testing' || '' }} | |
| # Run tests with secrets for: | |
| # 1. Push to main (trusted), OR | |
| # 2. PR from same repository (trusted) | |
| # For external PRs: environment protection requires manual approval | |
| if: | | |
| github.event_name == 'push' || | |
| github.event.pull_request.head.repo.full_name == github.repository | |
| steps: | |
| - name: Checkout sources | |
| uses: actions/checkout@v4 | |
| with: | |
| # SECURITY: For external PRs, only checkout trusted base branch | |
| ref: ${{ github.event.pull_request.head.repo.full_name == github.repository && github.event.pull_request.head.sha || github.sha }} | |
| - name: Decrypt keyfile | |
| run: ./.github/scripts/decrypt_secret.sh | |
| env: | |
| KEYFILE_PASSPHRASE: ${{secrets.KEYFILE_PASSPHRASE}} | |
| - name: Install Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 20.19 | |
| - name: Install dependencies | |
| run: npm ci --no-fund --no-audit | |
| - name: Build | |
| run: npm run build | |
| - name: Check formatting | |
| run: npm run format:check | |
| - name: Run linters | |
| run: npm run lint | |
| - name: Run tests | |
| run: npm run test | |
| env: | |
| AWS_BUCKET: ${{secrets.AWS_BUCKET}} | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AZURE_ACCOUNT_ID: ${{secrets.AZURE_ACCOUNT_ID}} | |
| AZURE_ACCOUNT_KEY: ${{secrets.AZURE_ACCOUNT_KEY}} | |
| AZURE_CONTAINER_NAME: ${{secrets.AZURE_CONTAINER_NAME}} | |
| AWS_REGION: ${{secrets.AWS_REGION}} |