-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace usage of ADMIN_GITHUB_TOKEN #505
Comments
I tried using environment and the trusted PyPI publisher action with https://github.com/jupyterlab-contrib/search-replace For what I saw, the only default restriction you can put on environment is adding mandatory review or delay the execution. But app may be use to perform more complex validation rules. From my test, I'm wondering if a solution could not be to create an app (like the jupyterlab-probot e.g.) that enforces execution within an environment.
|
The workflow itself has to be marked as requiring an environment. I did a full end to end test [here|https://github.com/jupyter/security/issues/63] |
Thanks @blink1073 In what I tried I did something similarly to your test by adding mandatory review on the environment. I just found that this add a step to do the release; my laziness kicked in why one more step 😉 But yeah likely better to have to do one more click than having a bad release. |
New plan: use the user's GITHUB_TOKEN, and recommend the use of an environment. Technically our check for the github actor's permissions would still work, but environment is still better. To handle forwardport and silent changelog PRs, we add an option to make the PR comment to toggle the PR. |
For release-from-releaser, we will need to keep using ADMIN_GITHUB_TOKEN. Add a new option for post-PR comment, that will default to Update the docs and examples to always use an environment. Test this against https://github.com/blink1073/test-python-project/ before committing to the process. First, I need to update jupyterlab-probot to return the default config if no config file is found, because it is returning an empty object:
|
Okay, I did some testing in my scratch repo, and here's my recommendation:
For the GitHub App:
Then, per repo:
|
Nice!
So that means for repos hosted under a user account (not part of an organization) the user will have to install a GitHub App for their account (likely to be treated as an "org" by GitHub already)? |
Looks like the commit corresponds to the user who run the workflow, which is nice for tracking and knowing who made the release (as previously discussed in #521) 👍 |
Okay, I'll open separate issues to discuss removing |
Problem
We should not have to worry about the ADMIN_GITHUB_TOKEN. It is a maintenance burden and an additional security surface area.
Proposed Solution
We should instead create a PR with the commits that were previously pushed directly, and merge it from the Action. This will allow branch protections to remain in place. We can recommend the use of
environments
with restricted users in the publish action, regardless of whether OIDC tokens are used (#504).The text was updated successfully, but these errors were encountered: