-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Action does not fail when no credentials are provided #529
Comments
Thanks for the report! |
I hope dependabot reads the credentials. @gleichda Do you want to fail CI when the credentials not provided? |
No Dependabot PRs can currently not read the credentials. (another issue that has nothing to do with your action) |
I'll add new input like This specification was decided on #33 in https://github.com/nwtgck/actions-netlify/pull/33/files#diff-4fab5baaca5c14d2de62d8d2fceef376ddddcc8e9509d86cfa5643f51b89ce3d. GItHub-native Dependabot can not read. But Dependabot-Preview can?: #527 |
Actually I would expect the behavior before #33 but anyways introducing a variable seems also a valid option.
Weird... |
Thanks. One day, after the new variable introduced, I can change the default behavior as breaking change in a major release: fails by default when no credentials provided. I hope GitHub allows project authors to give credentials to every PR when a project they admit. |
Now this feature is available on Example usage: https://github.com/nwtgck/actions-netlify/pull/533/files |
They don't appear to be equivalent. Preview is an app with different trust model AFAIK. Native may be under the usual restrictions, at least for time being for security reasons. I don't know too much about either, it could be that preview approach is more secure.
You can, but it is not advised to allow any third-party to contribute PR and run code that can access repo secrets. It allows for malicious usage. This includes sending dependabot like PR for what looks like harmless update, but with a compromised dependency that will run some malicious code during Github Action to steal secrets from many projects. If the branch is on your own repo, or it is a fork of someone who is a collaborator with secrets access, those PR can access secret AFAIK as they're trusted. The advice is to run any scripts and build in
EDIT: I just went over the referenced dependabot issue link from earlier. I see it addresses what I've said above and provides the same 1st URL I did. I assume it's due to the vulnerability that the teddykatz blog URL describes. The related github blog post also states the behaviour of dependabot (native) to be like a repo fork making pull requests, so that resolves that difference between it and the preview app I think. |
Thank you very much for the detail! |
When running the v1.2 action it does not fail when no credentials are provided which can happen under some circumstances because of dependabot e.g. (dependabot/dependabot-core#3253)
Sample run: https://github.com/gleichda/gleich.dev/runs/2492536703?check_suite_focus=true
The text was updated successfully, but these errors were encountered: