Feature #21659
Updated by Stephen Smith 8 months ago
Branch 21659-gh-workflow-tests
Here is a proposed github workflow that runs the wb2 integration tests using the cypress in docker method. It takes an extra 10 minutes because it builds the workbench2-build container each time (since it's not pushed anywhere) but that doesn't seem like it would matter for the occasional dependabot or external PR.
The workflow is triggered on every PR and used actions are pinned to specific github action hashes. The repo settings can also disable write access to the repo under Actions > Workflow permissions, as well as unchecking the allow actions to create/approve PRs.
The actions can also be locked down to only allow a specific set of actions to run, for this workflow it would be
<pre>
actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11,
addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185,
docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0,
docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb,
</pre>
This way even if a malicious PR was approved to run workflows it wouldn't have any ability to change anything in the repo
Also secrets and repo variables aren't passed to runs triggered by fork PRs, so those should be safe too