Fix coverage workflow #385
Conversation
|
Does this fix #381? If so that's extremely helpful :) |
|
It would, yes :) |
|
Or, rather. kinda. That thing is broken in fun ways. It depends what you're trying to really achieve. Personally I'd get rid of writing a comment on the PR and only do step summary. My workflow/action (check-spelling) supports both, but the effort required to maintain commenting is scary to most people. To actually get comments on PRs from forks requires changing from Actually, let me revise this so it's less scary. |
jsoref
force-pushed
the
fix-coverage-workflow
branch
from
9bd8a54
to
1e3e8cf
Compare
Didn't know about step summaries (ref for anyone else reading this). Is there a way to make them visible in the PR itself instead of in the Action summary? Having to go check the summary pretty much makes it useless, what we want is an obviously visible warning if your PR is decreasing coverage. |
|
I'm hoping github will eventually improve access to step summaries -- at the very least, i'm hoping github will replace Sadly, no, step summaries don't have great visibility, but the permissions required for commenting are generally sufficiently scary that most of the time projects I work with decide to use step summaries instead of allowing my workflow to comment. Granting An alternative is having a bot or some purpose built (and carefully audited/maintained) code that has a token (with Anyway, if you trust workflows and that people can review/audit them, then, you can spin a wheel. The other thing you can do is include some Note that changing from Basically this stuff is a bit of a headache -- sorry :) |
|
@ianspektor: anyway, if you tell me what you'd like, I'm happy to adjust the workflow to do it (within reason) |
|
Hey 👋🏼 Don't have time to dive into this atm but will try to get to it early next week - thanks so much for the very detailed explanations! |
|
Alright, here's what I propose:
Thoughts? |
|
Ok, here's what I have, this is a same repo PR with comment: Here's a PR from a different repo with comment: |
jsoref
force-pushed
the
fix-coverage-workflow
branch
2 times, most recently
from
086ac01
to
d601c08
Compare
So, this requires essays, and there are some, e.g.: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/. TL;DR: If someone is triggering an event in their own repository, they already had the ability to write to the repository, and thus it isn't interesting if what they push can make additional changes to their repository. -- This is conceptually, e.g. me pushing to my own repository and a workflow in my repository being given If someone is triggering an event in someone else's repository, then it'd be bad if they could cause a change to the repository to be made without consent of the owners of that repository. This is the case you have here. I'm making a significant change to a workflow. -- If my change were directly run before you merged it, that'd mean my PR could trigger additional commits to be added and that's really bad. GitHub has a number of protections for this: first by default workflows running from PRs across forks are limited to Sometimes, you need to be able to allow a PR to do things with In the proposed workflow, for a future PR w/ this enabled, there are three jobs and they'll look like this: coverage (pr)GITHUB_TOKEN Permissions
Contents: read
Metadata: readCheckoutRun actions/checkout@v3
with:
ref: refs/pull/3/merge-- this part is where things could be dangerous (as the code being run is from a fork and is thus untrustworthy) -- if not for the careful permissions established by the workflow changes here -- coverage (main)GITHUB_TOKEN Permissions
Contents: read
Metadata: readCheckoutRun actions/checkout@v3
with:
ref: maincommentGITHUB_TOKEN Permissions
Metadata: read
PullRequests: writeno checkoutIf there was a checkout, it'd default to using the pull request target's branch. Here the code (and in fact, all of the workflow steps themselves) came from the pull request target. In general, changes to workflows that have pull_request_target events are not seen until after they're merged, so testing them involves setting up a repository where the commits are already present (I'm not certain about how |
|
Thanks again for the extremely careful explanations.
We could also just change it to |
Yeah. I'd personally just create a PR into a branch that has the changes I'm testing (as I did here to show things). But, that's probably because I spend 99% of my time dealing with my workflows that use |
|
One more thing: could you add some very concrete (~1-line) explanations in the tricky/not-so-standard parts?
Add links if needed |
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
|
Sadly the various doc/blog links are kinda lousy, here's the "basic" text:
It isn't wrong, but it isn't remotely helpful. Modifying the permissions for the GITHUB_TOKEN
Again, the information is kinda here, but it's more or less buried in the last sentence of the paragraph. There's a three part series: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ but none of them suggest chaining jobs to handle untrusted actions even though that's really the way to go 🙍♂️. |
jsoref
force-pushed
the
fix-coverage-workflow
branch
from
d601c08
to
8c765eb
Compare
|
Fwiw, once this is merged, someone should go in and bump I'm leaving that for a separate PR as I don't really want to extend this PR -- it's already sufficiently complicated. |
This fixes:
comment
Unhandled error: HttpError: Not Found