From 04700404fbb495e83b995c7f0e80e7011b2fd382 Mon Sep 17 00:00:00 2001 From: Rory Abraham Date: Tue, 15 Mar 2022 10:39:35 -0700 Subject: [PATCH] Get rid of workflow-level repo secret --- .github/workflows/README.md | 41 +++++++++++---------- .github/workflows/cherryPick.yml | 15 ++++++-- .github/workflows/updateProtectedBranch.yml | 7 ++-- 3 files changed, 37 insertions(+), 26 deletions(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index be6efb918fb6..3a8477b607de 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -48,6 +48,7 @@ We've found that the best way to avoid this pitfall is to always wrap any refere 1. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time. 1. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo 1. Only trusted users will be allowed write access to the repository, however, it's good to add logic checks in actions to prevent human error. +1. Do not add repo secrets to the environment at the workflow or job level. Only add them to the environment at the step level. ## Further Reading 📖 1. https://securitylab.github.com/research/github-actions-preventing-pwn-requests @@ -57,23 +58,23 @@ We've found that the best way to avoid this pitfall is to always wrap any refere The GitHub workflows require a large list of secrets to deploy, notify and test the code: 1. `LARGE_SECRET_PASSPHRASE` - decrypts secrets stored in various encrypted files stored in GitHub repository. To create updated versions of these encrypted files, refer to steps 1-4 of [this encrypted secrets help page](https://docs.github.com/en/actions/reference/encrypted-secrets#limits-for-secrets) using the `LARGE_SECRET_PASSPHRASE`. 1. `android/app/my-upload-key.keystore.gpg` - 2. `android/app/android-fastlane-json-key.json.gpg` - 3. `ios/chat_expensify_appstore.mobileprovision` - 4. `ios/Certificates.p12.gpg` -2. `SLACK_WEBHOOK` - Sends Slack notifications via Slack WebHook https://expensify.slack.com/services/B01AX48D7MM -3. `OS_BOTIFY_TOKEN` - Personal access token for @OSBotify user in GitHub -4. `CLA_BOTIFY_TOKEN` - Personal access token for @CLABotify user in GitHub -5. `CSC_LINK` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers -6. `CSC_KEY_PASSWORD` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers -7. `APPLE_ID` - Required for notarizing desktop code in `desktop/notarize.js` -8. `APPLE_ID_PASSWORD` - Required for notarizing desktop code in `desktop/notarize.js` -9. `AWS_ACCESS_KEY_ID` - Required for hosting website and desktop compiled code -10. `AWS_SECRET_ACCESS_KEY` - Required for hosting website and desktop compiled code -11. `CLOUDFLARE_TOKEN` - Required for hosting website -12. `APPLE_CONTACT_EMAIL` - Email used for contact between Expensify and Apple for https://appstoreconnect.apple.com/ -13. `APPLE_CONTACT_PHONE` - Phone number used for contact between Expensify and Apple for https://appstoreconnect.apple.com/ -14. `APPLE_DEMO_EMAIL` - Demo account email used for https://appstoreconnect.apple.com/ -15. `APPLE_DEMO_PASSWORD` - Demo account password used for https://appstoreconnect.apple.com/ + 1. `android/app/android-fastlane-json-key.json.gpg` + 1. `ios/chat_expensify_appstore.mobileprovision` + 1. `ios/Certificates.p12.gpg` +1. `SLACK_WEBHOOK` - Sends Slack notifications via Slack WebHook https://expensify.slack.com/services/B01AX48D7MM +1. `OS_BOTIFY_TOKEN` - Personal access token for @OSBotify user in GitHub +1. `CLA_BOTIFY_TOKEN` - Personal access token for @CLABotify user in GitHub +1. `CSC_LINK` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers +1. `CSC_KEY_PASSWORD` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers +1. `APPLE_ID` - Required for notarizing desktop code in `desktop/notarize.js` +1. `APPLE_ID_PASSWORD` - Required for notarizing desktop code in `desktop/notarize.js` +1. `AWS_ACCESS_KEY_ID` - Required for hosting website and desktop compiled code +1. `AWS_SECRET_ACCESS_KEY` - Required for hosting website and desktop compiled code +1. `CLOUDFLARE_TOKEN` - Required for hosting website +1. `APPLE_CONTACT_EMAIL` - Email used for contact between Expensify and Apple for https://appstoreconnect.apple.com/ +1. `APPLE_CONTACT_PHONE` - Phone number used for contact between Expensify and Apple for https://appstoreconnect.apple.com/ +1. `APPLE_DEMO_EMAIL` - Demo account email used for https://appstoreconnect.apple.com/ +1. `APPLE_DEMO_PASSWORD` - Demo account password used for https://appstoreconnect.apple.com/ ## Actions @@ -81,9 +82,9 @@ All these _workflows_ are comprised of atomic _actions_. Most of the time, we ca All our actions are stored in the neighboring directory [`.github/actions`](https://github.com/Expensify/App/tree/main/.github/actions). Each action is a module comprised of three parts: -1) An [action metadata file](https://docs.github.com/en/free-pro-team@latest/actions/creating-actions/creating-a-javascript-action#creating-an-action-metadata-file) called `action.yml`. This describes the action, gives it a name, and defines its inputs and outputs. -2) A Node.js script, whose name matches the module. This is where you can implement the custom logic for your action. -3) A compiled file called index.js. This is a compiled output of the file from (2) and should _NEVER_ be directly modified. +1. An [action metadata file](https://docs.github.com/en/free-pro-team@latest/actions/creating-actions/creating-a-javascript-action#creating-an-action-metadata-file) called `action.yml`. This describes the action, gives it a name, and defines its inputs and outputs. +1. A Node.js script, whose name matches the module. This is where you can implement the custom logic for your action. +1. A compiled file called index.js. This is a compiled output of the file from (2) and should _NEVER_ be directly modified. ### Why do actions need to be compiled? diff --git a/.github/workflows/cherryPick.yml b/.github/workflows/cherryPick.yml index 40852bcf5127..407a16bb7464 100644 --- a/.github/workflows/cherryPick.yml +++ b/.github/workflows/cherryPick.yml @@ -11,9 +11,6 @@ on: required: false default: '' -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - jobs: validateActor: runs-on: ubuntu-latest @@ -43,6 +40,8 @@ jobs: - uses: softprops/turnstyle@8db075d65b19bf94e6e8687b504db69938dc3c65 with: poll-interval-seconds: 10 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Create new BUILD version uses: Expensify/App/.github/actions/triggerWorkflowAndWait@main @@ -160,10 +159,14 @@ jobs: - name: Auto-assign PR if there are merge conflicts or if the bundle versions are mismatched if: ${{ !fromJSON(steps.cherryPick.outputs.SHOULD_AUTOMERGE) || !fromJSON(steps.isShortVersionStringUpdated.outputs.BUNDLE_VERSIONS_MATCH) }} run: gh pr edit --add-label "Engineering,Hourly" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Assign the PR to the deployer if: ${{ !fromJSON(steps.cherryPick.outputs.SHOULD_AUTOMERGE) }} run: gh pr edit --add-assignee ${{ steps.getCPMergeCommit.outputs.MERGE_ACTOR }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: If PR has merge conflicts, comment with instructions for assignee if: ${{ !fromJSON(steps.cherryPick.outputs.SHOULD_AUTOMERGE) }} @@ -172,6 +175,8 @@ jobs: "This pull request has merge conflicts and can not be automatically merged. :disappointed: Please manually resolve the conflicts, push your changes, and then request another reviewer to review and merge. **Important:** There may be conflicts that GitHub is not able to detect, so please _carefully_ review this pull request before approving." + env: + GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }} - name: If PR has a bundle version mismatch, comment with the instructions for assignee if: ${{ !fromJSON(steps.isShortVersionStringUpdated.outputs.BUNDLE_VERSIONS_MATCH) }} @@ -180,11 +185,15 @@ jobs: "The CFBundleShortVersionString value in this PR is not compatible with the CFBundleVersion, so cherry picking it will result in an iOS deploy failure. Please manually resolve the mismatch, push your changes, and then request another reviewer to review and merge. **Important:** This mismatch can be caused by a failed Update Protected Branch workflow followed by a manual CP, but please confirm the cause of the mismatch before updating any version numbers." + env: + GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }} - name: Auto-approve the PR # Important: only auto-approve if there was no merge conflict! if: ${{ fromJSON(steps.cherryPick.outputs.SHOULD_AUTOMERGE) }} run: gh pr review --approve + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Check if pull request is mergeable id: isPullRequestMergeable diff --git a/.github/workflows/updateProtectedBranch.yml b/.github/workflows/updateProtectedBranch.yml index b99d1d73f225..40f00fb63cd0 100644 --- a/.github/workflows/updateProtectedBranch.yml +++ b/.github/workflows/updateProtectedBranch.yml @@ -12,9 +12,6 @@ on: required: false default: '' -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - jobs: updateBranch: if: github.actor == 'OSBotify' @@ -108,6 +105,8 @@ jobs: - name: Auto-approve the PR run: gh pr review --approve + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Check if pull request is mergeable id: isPullRequestMergeable @@ -131,6 +130,8 @@ jobs: - name: Auto-merge the PR run: gh pr merge --merge --delete-branch + env: + GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }} # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all # the other workflows with the same change