ongdisheng commented on issue #678: URL: https://github.com/apache/fesod/issues/678#issuecomment-3567559178
Hi @delei, You're absolutely right about the security concerns with `pull_request_target`. I really appreciate you pointing this out. I've researched alternative approaches and found a secure two-workflow pattern that solves this issue. The solution splits the preview into two separate workflows: 1. The first [workflow](https://github.com/ongdisheng/fesod/blob/main/.github/workflows/pr-docs-build.yml)runs on `pull_request` to build the documentation without accessing any secrets. 2. The second [workflow](https://github.com/ongdisheng/fesod/blob/main/.github/workflows/pr-docs-preview.yml) runs on `workflow_run` trigger to deploy the built artifact to Netlify with secrets access, but only after the build succeeds. The key security benefit is that `workflow_run` always uses the workflow file from the default branch, not from the PR branch. This means even if a fork PR tries to modify the deploy workflow to steal secrets, their modified version won't execute. Only the trusted workflow on our main branch will run. This way, untrusted code from fork PRs never has access to our Netlify secrets, while we can still provide preview deployments for all PRs. I've already implemented and tested [this](https://github.com/ongdisheng/fesod/pull/1) on my fork repo. Please feel free to check it out and let me know if there is anything that needs to be changed. I'd be happy to make any adjustments based on your feedback. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
