test / coverage workflow improvements

Nayjest · Nayjest · commit 984e24b3893e · 2026-01-30T13:27:44.000+01:00
diff --git a/.github/workflows/tests.reusable.yml b/.github/workflows/tests.reusable.yml
@@ -11,13 +11,18 @@ on:
         default: false
       environment:
         type: string
+      description: |
+        GitHub Actions environment to enforce deployment protection rules.
+        Use 'external-pr' for untrusted external PRs to require maintainer approval
+        before accessing secrets, preventing malicious code from exfiltrating credentials.
 
 permissions:
   contents: write
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    # Enforces GitHub Actions environment protection rules (manual approval for external PRs)
     environment: ${{ inputs.environment }}
     strategy:
       fail-fast: false
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -1,4 +1,4 @@
-name: Tests and Coverage Badge
+name: Tests / Coverage
 
 on:
   push:
@@ -12,7 +12,7 @@ permissions:
   contents: write
 
 jobs:
-  test-internal:
+  test-trusted-src:
     if: |
       github.event_name == 'push' ||
       (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
@@ -22,14 +22,16 @@ jobs:
       update-badge: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
     secrets: inherit
 
-  test-external:
+  test-fork-pr:
     if: |
       github.event_name == 'pull_request_target' &&
       github.event.pull_request.head.repo.full_name != github.repository
     uses: ./.github/workflows/tests.reusable.yml
     with:
       ref: ${{ github.event.pull_request.head.sha }}
-      # Environment requiring mandatory code check by maintainers
-      # to mitigate exfiltrating secrets using malicious code in PRs.
+      # "external-pr" GitHub env. requires workflow execution approval by maintainers
+      # to mitigate exfiltration attacks via malicious PR code.
+      # (!) Always carefully review external PRs before approving workflow runs.
+      # Blocks exfiltration attacks via malicious PR code
       environment: external-pr
     secrets: inherit  # Required for passing secrets to reusable workflow.
