Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Slack notifications for CI failures #30

Merged
merged 1 commit into from
Feb 10, 2023
Merged

Remove Slack notifications for CI failures #30

merged 1 commit into from
Feb 10, 2023

Conversation

waiting-for-dev
Copy link
Contributor

Summary

We were storing the Slack secrets on a CircleCI context. Although we were also passing them to forks, it resulted on unauthorized builds for external contributions.

We could work around the issue in two ways:

  • Having the secrets outside of any context, but that would compromise the security of the associated Slack channel for:
    • Send messages as @CircleCI notifications
    • Send messages to channels @CircleCI notifications isn't a member of
    • Upload, edit, and delete files as CircleCI notifications
  • Using CircleCI logic statements to conditionally run jobs when CIRCLECI_USERNAME or CIRCLE_PR_USERNAME env vars are in a list of allowed users. However, that would be something difficult to maintain, and there's no other way to check the user's role.

Given that we don't find those trade-offs to be acceptable, we remove the integration for now.

Closes #4902

Checklist

Check out our PR guidelines for more details.

The following are mandatory for all PRs:

The following are not always needed:

  • 📖 I have updated the README to account for my changes.
  • 📑 I have documented new code with YARD.
  • 🛣️ I have opened a PR to update the guides.
  • ✅ I have added automated tests to cover my changes.
  • 📸 I have attached screenshots to demo visual changes.

@waiting-for-dev
Remove Slack notifications for CI failures
9343b09 
We were storing the Slack secrets on a CircleCI context [1]. Although we
were also passing them to forks [2], it resulted on unauthorized builds
for external contributions.

We could work around the issue in two ways:

- Having the secrets outside of any context, but that would compromise
 the security of the associated Slack channel for:
  - Send messages as @circleci notifications
  - Send messages to channels @circleci notifications isn't a member of
  - Upload, edit, and delete files as CircleCI notifications
- Using CircleCI logic statements [3] to conditionally run jobs when
`CIRCLECI_USERNAME` or `CIRCLE_PR_USERNAME` env vars [4] are in a list
of allowed users. However, that would be something difficult to
maintain, and there's no other way to check the user's role.

Given that we don't find those trade-offs to be acceptable, we remove
the integration for now.

[1] - https://circleci.com/docs/contexts/
[2] - https://circleci.com/docs/oss/#pass-secrets-to-builds-from-forked-pull-requests
[3] - https://circleci.com/docs/configuration-reference/#logic-statements
[4] - https://circleci.com/docs/variables/
@waiting-for-dev waiting-for-dev mentioned this pull request Feb 9, 2023
Closed
@waiting-for-dev waiting-for-dev merged commit 0eb35c8 into master Feb 10, 2023
@waiting-for-dev waiting-for-dev deleted the waiting-for-dev/remove_slack_notifications branch February 10, 2023 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kennyadsl kennyadsl kennyadsl approved these changes

@elia elia Awaiting requested review from elia

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@waiting-for-dev @kennyadsl