alaahong commented on issue #678: URL: https://github.com/apache/fesod/issues/678#issuecomment-3568087087
> Hi [@delei](https://github.com/delei), You're absolutely right about the security concerns with `pull_request_target`. I really appreciate you pointing this out. I've researched alternative approaches and found a secure two-workflow pattern that solves this issue. The solution splits the preview into two separate workflows: > > 1. The first [workflow](https://github.com/ongdisheng/fesod/blob/main/.github/workflows/pr-docs-build.yml) runs on `pull_request` to build the documentation without accessing any secrets. > 2. The second [workflow](https://github.com/ongdisheng/fesod/blob/main/.github/workflows/pr-docs-preview.yml) runs on `workflow_run` trigger to deploy the built artifact to Netlify with secrets access, but only after the build succeeds. > > The key security benefit is that `workflow_run` always uses the workflow file from the default branch, not from the PR branch according to GitHub [docs](https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/). This means even if a fork PR tries to modify the deploy workflow to steal secrets, their modified version won't execute. Only the trusted workflow on our main branch will run. This way, untrusted code from fork PRs never has access to our Netlify secrets, while we can still provide preview deployments for all PRs. I've already implemented and tested [this](https://github.com/ongdisheng/fesod/pull/1) on my fork repo. Please feel free to check it out and let me know if there is anything that needs to be changed. I'd be happy to make any adjustments based on your feedback. > > CC: [@alaahong](https://github.com/alaahong) Can you suggest the correct configuration? The 709 configuration set as below with errors, <img width="1072" height="857" alt="Image" src="https://github.com/user-attachments/assets/d5021fc7-348c-4fb8-8c98-f9c0261346ea"; /> It's running under netlify as your given all empty settings, but seems that's not from the CI? just dry run on netlify. <img width="903" height="692" alt="Image" src="https://github.com/user-attachments/assets/d6a2c7e0-9651-4084-9d9b-78bf40271412"; /> Whatever trigger the job from Netlify or CI, it should be fine to: 1. Preview the PR diff on temp website 2. Can deploy the website via github actions -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
