File tree Expand file tree Collapse file tree 2 files changed +12
-5
lines changed
Expand file tree Collapse file tree 2 files changed +12
-5
lines changed Original file line number Diff line number Diff line change 1111 default : false
1212 environment :
1313 type : string
14+ description : |
15+ GitHub Actions environment to enforce deployment protection rules.
16+ Use 'external-pr' for untrusted external PRs to require maintainer approval
17+ before accessing secrets, preventing malicious code from exfiltrating credentials.
1418
1519permissions :
1620 contents : write
1721
1822jobs :
1923 test :
2024 runs-on : ubuntu-latest
25+ # Enforces GitHub Actions environment protection rules (manual approval for external PRs)
2126 environment : ${{ inputs.environment }}
2227 strategy :
2328 fail-fast : false
Original file line number Diff line number Diff line change 1- name : Tests and Coverage Badge
1+ name : Tests / Coverage
22
33on :
44 push :
@@ -12,7 +12,7 @@ permissions:
1212 contents : write
1313
1414jobs :
15- test-internal :
15+ test-trusted-src :
1616 if : |
1717 github.event_name == 'push' ||
1818 (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
@@ -22,14 +22,16 @@ jobs:
2222 update-badge : ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
2323 secrets : inherit
2424
25- test-external :
25+ test-fork-pr :
2626 if : |
2727 github.event_name == 'pull_request_target' &&
2828 github.event.pull_request.head.repo.full_name != github.repository
2929 uses : ./.github/workflows/tests.reusable.yml
3030 with :
3131 ref : ${{ github.event.pull_request.head.sha }}
32- # Environment requiring mandatory code check by maintainers
33- # to mitigate exfiltrating secrets using malicious code in PRs.
32+ # "external-pr" GitHub env. requires workflow execution approval by maintainers
33+ # to mitigate exfiltration attacks via malicious PR code.
34+ # (!) Always carefully review external PRs before approving workflow runs.
35+ # Blocks exfiltration attacks via malicious PR code
3436 environment : external-pr
3537 secrets : inherit # Required for passing secrets to reusable workflow.
You can’t perform that action at this time.
0 commit comments