Our great sponsors
-
tfcmt
Fork of mercari/tfnotify. tfcmt enhances tfnotify in many ways, including Terraform >= v0.15 support and advanced formatting options
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
In this post, I described how to build secure GitHub Actions workflows by pull_request_target event instead of pull_request event. Using pull_request_target, you can prevent malicious codes from being executed in CI. And by managing secrets in secrets management services such as AWS Secrets Manager and Google Secret Manager and access them via OIDC, you can restrict the access to secrets securely. To migrate pull_request to pull_request_target, several modifications are needed. And pull_request_target has a drawback that it's difficult to test changes of workflows, so it's good to introduce pull_request_target to repositories that require strong permissions in CI. For example, a Terraform Monorepo tends to require strong permissions for CI, so it's good to introduce pull_request_target to it.
You may need to fix scripts and actions so that they work well on pull_request_target events. For example, if you use tfcmt and github-comment, which are my OSS, you need to set the merge commit hash to the environment variables TFCMT_SHA and GH_COMMENT_SHA1. You also need to check if third party actions support the pull_request_target event.
You may need to fix scripts and actions so that they work well on pull_request_target events. For example, if you use tfcmt and github-comment, which are my OSS, you need to set the merge commit hash to the environment variables TFCMT_SHA and GH_COMMENT_SHA1. You also need to check if third party actions support the pull_request_target event.
To checkout the merged commit with actions/checkout on pull_request_target event, you need to get the pull request by GitHub API and set the merge commit hash to actions/checkout input ref.
I created a small action for this.
Related posts
- How do you handle sensitive variables with a service-worker?
- Need Help with Deploying Directus on Google Cloud Platform (GCP)
- Has anyone been able to implement the OpenAI API with a Firebase Function (which is needed for the env variable API Key)?
- Securely storing Social Security Numbers with Firebase?
- Dónde van las credenciales cuando voy a subir un código a la nube para correr 24/7?