-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Check for secrets in workflows run on pull requests #1615
Conversation
Integration tests success for |
Integration tests success for |
Integration tests success for |
Integration tests success for |
} | ||
|
||
// Secrets used on jobs. | ||
for _, job := range workflow.Jobs { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to check for secrets in every job here? Should we only check for secrets in the code checkout job?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
correct, the check is in checkJobForUsedSecrets()
Note: I'm going to update the code today to also verify whether an environment
is declared or not, since this indicates a env secret and is typically gated by an approval, so we can discard such jobs. We can add further logic later to read the actual environment rules if we want
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated the PR description to reflect my last comment.
d5d78e4
to
95fc4c9
Compare
Integration tests success for |
4d439d0
to
b59c9a6
Compare
Integration tests success for |
Integration tests success for |
Integration tests success for |
e7e1d65
to
4a65468
Compare
Integration tests success for |
Integration tests success for |
See point 5 in #426 (comment)
This PR looks for secrets used in job's env, jobs'
with
argument, job'srun
scripts and top-levelenv
of the workflow.We add the following constraints
pull_request
action/checkout
of the PR.environment
field which typically indicates some review before running - this can be refined later thru GitHub REST API calls