[PM-15126] Second attempt: Remove reliance on secrets in build pipelines #12387
+323
−22
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ance on secrets (#12243) * feat: create copy of desktop build for PR target * chore: add temporary file to trigger ci * fix: remove check-run from regular desktop build * feat: change browser build to not use pr target * fix: skip build-safari if secret is not available * feat: skip safari build if secrets are not available * feat: let windows desktop build without secrets * fix: has_secrets not being output correctly * feat: let macos desktop build without secrets * feat: don't build browser as part of desktop * feat: change CLI to pull_request * feat: let web build without secrets * feat: tweak lint to run on PR and not just push * feat: add PR target workflows * fix: remove wip files * fix: lint on hotfix-rc branches * feat: add new workflows to CODEOWNERS (cherry picked from commit f8c33ea)
(cherry picked from commit 645d36f)
coroiu
commented
Dec 13, 2024
Comment on lines
+58
to
65
| # Enforce permissions _if_ the workflow has access to secrets to avoid | ||
| # bots having unsupervised access to secrets. | ||
| check-run: | ||
| name: Check PR run | ||
| needs: | ||
| - check-secrets | ||
| if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }} | ||
| uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main |
There was a problem hiding this comment.
point-of-interest: Unfortunately simply referring to bitwarden/gh-actions/../check-run.yml causes all of these jobs to fail in forked repositories (example: https://github.com/coroiu/clients/actions/runs/12313774955/workflow#L57). I think this can be fixed in check-run.yml by using job-specific permissions (jobs.<job_id>.permissions) instead of as a top-level key.
Working builds in workflows was never a requirement for this ticket so we can fix this later
|
New Issues
Fixed Issues
|
coroiu
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #12387 +/- ##
==========================================
- Coverage 33.46% 33.45% -0.01%
==========================================
Files 2908 2908
Lines 91057 91057
Branches 17336 17336
==========================================
- Hits 30474 30467 -7
- Misses 58177 58184 +7
Partials 2406 2406 ☔ View full report in Codecov by Sentry. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
📔 Objective
This PR reintroduces #12243 with one important tweak:
This is because bots have access to secrets and so we don't want to give them unsupervised access
📸 Screenshots
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes