4

Let's say the integration tests I want to run on every pull requests require an external API authentication secret.

See the following example:

name: Pull Request Workflow
on:
  pull_request:
    branches:
      - main
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Build and test
        run: |
          # Build and test code here
          ./run-tests.sh --secret=$MY_SECRET
        # Use ${{ secrets.MY_SECRET }} to access the encrypted secret
        env:
          MY_SECRET: ${{ secrets.MY_SECRET }}

It is important for me to have contributors see the results of these tests and solve the potential issues before a pull request is merged.

On the other hand, if a malicious contributor can to steal the secret, he/she will change run-tests.sh to send the secret back to him/her and open a pull request.

What is the right way to protect the secrets in such case? Seems like basic to give test feedback on pull requests.

Jonas
  • 121,568
  • 97
  • 310
  • 388
Ben Hirschberg
  • 1,410
  • 1
  • 12
  • 17
  • 2
    There are some [limitations for first time contributors](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#configuring-required-approval-for-workflows-from-public-forks) when opening PR. You could also add a `setup` job to check if the contributor is part of a specific list, and then only run the script with the test if the condition is met. From the moment a contributor has write access to your repository, you need to be aware then can eventually access the secret you're using, try reducing their scope as well – GuiFalourd Mar 29 '23 at 15:55
  • Also, see [Using secrets](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-secrets) section of [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). – Azeem Mar 30 '23 at 10:04
  • As far as I understand, GitHub does not allow environment secrets to be passed to CI actions triggered by PRs. I agree that "it is important to have contributors see the results of these tests before a pull request is merged" but I can not work out how to get the tests to run, as the secrets are unavailable. I have asked for a solution here: https://stackoverflow.com/questions/76746551/how-to-use-github-actions-environment-secrets-in-open-source-pull-request-ci-wor – Ross Bencina Jul 23 '23 at 03:27

0 Answers0