Comments (9)
Thank you very much for the detail!
from actions-netlify.
Thanks for the report!
gleichda/gleich.dev#44
from actions-netlify.
I hope dependabot reads the credentials.
@gleichda Do you want to fail CI when the credentials not provided?
from actions-netlify.
No Dependabot PRs can currently not read the credentials. (another issue that has nothing to do with your action)
But yes as the deployment is not successful I would expect the action to fail.
from actions-netlify.
I'll add new input like fails-if-no-credential-provided
or fails-without-credentials
.
This specification was decided on #33 in https://github.com/nwtgck/actions-netlify/pull/33/files#diff-4fab5baaca5c14d2de62d8d2fceef376ddddcc8e9509d86cfa5643f51b89ce3d.
GItHub-native Dependabot can not read. But Dependabot-Preview can?: #527
from actions-netlify.
I'll add new input like
fails-if-no-credential-provided
orfails-without-credentials
.This specification was decided on #33 in https://github.com/nwtgck/actions-netlify/pull/33/files#diff-4fab5baaca5c14d2de62d8d2fceef376ddddcc8e9509d86cfa5643f51b89ce3d.
Actually I would expect the behavior before #33 but anyways introducing a variable seems also a valid option.
GItHub-native Dependabot can not read. But Dependabot-Preview can?: #527
Weird...
from actions-netlify.
Thanks.
One day, after the new variable introduced, I can change the default behavior as breaking change in a major release: fails by default when no credentials provided.
I hope GitHub allows project authors to give credentials to every PR when a project they admit.
from actions-netlify.
Now this feature is available on v1.2.1
, v1.2
or v1
.
Example usage: https://github.com/nwtgck/actions-netlify/pull/533/files
from actions-netlify.
GItHub-native Dependabot can not read. But Dependabot-Preview can?
They don't appear to be equivalent. Preview is an app with different trust model AFAIK. Native may be under the usual restrictions, at least for time being for security reasons. I don't know too much about either, it could be that preview approach is more secure.
I hope GitHub allows project authors to give credentials to every PR when a project they admit.
You can, but it is not advised to allow any third-party to contribute PR and run code that can access repo secrets. It allows for malicious usage. This includes sending dependabot like PR for what looks like harmless update, but with a compromised dependency that will run some malicious code during Github Action to steal secrets from many projects.
If the branch is on your own repo, or it is a fork of someone who is a collaborator with secrets access, those PR can access secret AFAIK as they're trusted.
The advice is to run any scripts and build in pull_request
context without secrets access, then upload this artifact and have workflow trigger to download the artifact and continue with secrets in a separate workflow that your project controls unrelated to the PR.
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html
EDIT: I just went over the referenced dependabot issue link from earlier. I see it addresses what I've said above and provides the same 1st URL I did. I assume it's due to the vulnerability that the teddykatz blog URL describes.
The related github blog post also states the behaviour of dependabot (native) to be like a repo fork making pull requests, so that resolves that difference between it and the preview app I think.
from actions-netlify.
Related Issues (20)
- output deploy id
- Invalid action input 'enable-github-deployment' HOT 6
- Release HOT 2
- Error: Unprocessable Entity HOT 2
- Update node version to 20 HOT 1
- Page Not Found for Remix + Vite App HOT 1
- No such file or directory when deploying HOT 3
- Netlify preview build not using netlify.toml HOT 2
- netlify-config-path not working for me HOT 1
- Production deployment not working HOT 1
- How to delete deploy preview on PR merge? HOT 4
- Critical security issue with preview deployments HOT 5
- Netlify Large Media? HOT 1
- Upload crashes when using TS files in the 'functions' folder HOT 2
- Wich is the right publish-dir path to Nextjs? HOT 4
- Deprecation warning for Node 12 HOT 7
- (More) deprecation warning for Node 12 HOT 2
- ✨ add input to enable/disable github deployment
- Post 2 comments for two separate builds HOT 1
- Support for edge-functions HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from actions-netlify.