Arvados

Branch 21659-gh-workflow-tests , tested on my github branch with a few example PRs: https://github.com/stephen304/arvados/pulls

Here is a proposed github workflow that runs the wb2 integration tests using the cypress in docker method. It takes an extra 10 minutes because it builds the workbench2-build container each time (since it's not pushed anywhere) but that doesn't seem like it would matter for the occasional dependabot or external PR.

The workflow is triggered on every PR

• Used actions are pinned to specific github action hashes
  • Prevents vulnerabilities from being introduced by the creators of the actions - will not auto update
  • Repo settings can also restrict used actions to a specific list, this would prevent a PR from changing the used actions to something malicious, ex:
    

    actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11,
    addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185,
    docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0,
    docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb,
    

• The repo settings can also disable write access to the repo under Actions > Workflow permissions, as well as unchecking the allow actions to create/approve PRs option
  • This way even if a malicious PR was approved to run workflows it wouldn't have any ability to change anything in the repo
• Also secrets and repo variables aren't passed to runs triggered by fork PRs, so those should be safe too