Actions
Feature #21659
closedGithub integration test check workflow 21659-gh-workflow-tests
Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Story points:
-
Release:
Release relationship:
Auto
Description
Branch 21659-gh-workflow-tests , tested on my github branch with a few example PRs: https://github.com/stephen304/arvados/pulls
Here is a proposed github workflow that runs the wb2 integration tests using the cypress in docker method. It takes an extra 10 minutes because it builds the workbench2-build container each time (since it's not pushed anywhere) but that doesn't seem like it would matter for the occasional dependabot or external PR.
The workflow is triggered on every PR
Security considerations:- Used actions are pinned to specific github action hashes
- Prevents vulnerabilities from being introduced by the creators of the actions - will not auto update
- Repo settings can also restrict used actions to a specific list, this would prevent a PR from changing the used actions to something malicious, ex:
actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11, addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185, docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0, docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb,
- The repo settings can also disable write access to the repo under Actions > Workflow permissions, as well as unchecking the allow actions to create/approve PRs option
- This way even if a malicious PR was approved to run workflows it wouldn't have any ability to change anything in the repo
- Also secrets and repo variables aren't passed to runs triggered by fork PRs, so those should be safe too
Updated by Stephen Smith 9 months ago
- Description updated (diff)
- Subject changed from Github integration test check workflow to Github integration test check workflow 21659-gh-workflow-tests
Updated by Peter Amstutz 8 months ago
- Target version changed from Future to Development 2024-04-24 sprint
Updated by Lucas Di Pentima 8 months ago
Branch 21659-gh-workflow-tests
LGTM. I've set workflows read only permissions to Github's repo. Thanks!
Updated by Stephen Smith 8 months ago
- Status changed from New to Resolved
Actions