Skip to content

Add a --db-app-token flag to "astro db" execute, push, and verify commands #15069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
webstackdev wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add a --db-app-token flag to "astro db" execute, push, and verify commands #15069

webstackdev wants to merge 6 commits into from

Conversation

@webstackdev
Copy link

@webstackdev webstackdev commented Dec 21, 2025
edited
Loading

Changes

Adding the ASTRO_DB_APP_TOKEN secret to the environment in a CD workflow for pushing Astro DB migrations to a remote server creates a security vulnerability for repos hosted on some platforms like GitHub. The issue is that you cannot selectively block PRs from forked repos to segregate trusted and untrusted contributions. Both will run in the established CI / CD workflows. When the CD job checks out such a forked repo, untrusted code then has access to the ASTRO_DB_APP_TOKEN secret that is only needed by the npm astro db commands. With the addition of a --db-app-token flag for the astro db commands, that secret can be securely passed to the executable.

Testing

Added unit and integration tests for the changeset for happy path, error condition, and edge cases.

Docs

Docs updated in PR #12965

@changeset-bot
Copy link

changeset-bot bot commented Dec 21, 2025
edited
Loading

🦋 Changeset detected

Latest commit: e69f7be

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@webstackdev webstackdev mentioned this pull request Dec 21, 2025
Open
@github-actions github-actions bot added the pkg: astro Related to the core `astro` package (scope) label Dec 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

pkg: astro Related to the core `astro` package (scope)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@webstackdev