Action does not fail when no credentials are provided

[gleichda]

When running the v1.2 action it does not fail when no credentials are provided which can happen under some circumstances because of dependabot e.g. (dependabot/dependabot-core#3253)

Sample run: https://github.com/gleichda/gleich.dev/runs/2492536703?check_suite_focus=true

[nwtgck]

Thanks for the report!
gleichda/gleich.dev#44

[nwtgck]

I hope dependabot reads the credentials.

@gleichda Do you want to fail CI when the credentials not provided?

[gleichda]

No Dependabot PRs can currently not read the credentials. (another issue that has nothing to do with your action)
But yes as the deployment is not successful I would expect the action to fail.

[nwtgck]

I'll add new input like fails-if-no-credential-provided or fails-without-credentials.

This specification was decided on #33 in https://github.com/nwtgck/actions-netlify/pull/33/files#diff-4fab5baaca5c14d2de62d8d2fceef376ddddcc8e9509d86cfa5643f51b89ce3d.

---

GItHub-native Dependabot can not read. But Dependabot-Preview can?: #527

[gleichda]

I'll add new input like fails-if-no-credential-provided or fails-without-credentials.

This specification was decided on #33 in https://github.com/nwtgck/actions-netlify/pull/33/files#diff-4fab5baaca5c14d2de62d8d2fceef376ddddcc8e9509d86cfa5643f51b89ce3d.

Actually I would expect the behavior before #33 but anyways introducing a variable seems also a valid option.

GItHub-native Dependabot can not read. But Dependabot-Preview can?: #527

Weird...

[nwtgck]

Thanks.

One day, after the new variable introduced, I can change the default behavior as breaking change in a major release: fails by default when no credentials provided.

---

I hope GitHub allows project authors to give credentials to every PR when a project they admit.

[nwtgck]

Now this feature is available on v1.2.1, v1.2 or v1.

Example usage: https://github.com/nwtgck/actions-netlify/pull/533/files

[polarathene]

GItHub-native Dependabot can not read. But Dependabot-Preview can?

They don't appear to be equivalent. Preview is an app with different trust model AFAIK. Native may be under the usual restrictions, at least for time being for security reasons. I don't know too much about either, it could be that preview approach is more secure.

---

I hope GitHub allows project authors to give credentials to every PR when a project they admit.

You can, but it is not advised to allow any third-party to contribute PR and run code that can access repo secrets. It allows for malicious usage. This includes sending dependabot like PR for what looks like harmless update, but with a compromised dependency that will run some malicious code during Github Action to steal secrets from many projects.

If the branch is on your own repo, or it is a fork of someone who is a collaborator with secrets access, those PR can access secret AFAIK as they're trusted.

The advice is to run any scripts and build in pull_request context without secrets access, then upload this artifact and have workflow trigger to download the artifact and continue with secrets in a separate workflow that your project controls unrelated to the PR.

• https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
• https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html

---

EDIT: I just went over the referenced dependabot issue link from earlier. I see it addresses what I've said above and provides the same 1st URL I did. I assume it's due to the vulnerability that the teddykatz blog URL describes.

The related github blog post also states the behaviour of dependabot (native) to be like a repo fork making pull requests, so that resolves that difference between it and the preview app I think.

[nwtgck]

Thank you very much for the detail!