Add a --db-app-token flag to "astro db" execute, push, and verify commands #15069
Conversation
🦋 Changeset detectedLatest commit: bdf74fd The changes in this PR will be included in the next version bump. Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
…5/Node 22 check, from 1000ms to 3000ms for two test cases
github-actions
bot
added
the
pkg: astro
matthewp
left a comment
matthewp
left a comment
There was a problem hiding this comment.
This would be a minor since its a new feature.
sarah11918
left a comment
sarah11918
left a comment
There was a problem hiding this comment.
Thank you for contributing this helpful feature @webstackdev ! I left an example of what a minor changeset would normally look like to give you an idea of a direction you might want to take. Your feature is great, and we want to make sure people know about it, what it's for, and how to use it! 🙌
Co-authored-by: Sarah Rainsberger <5098874+sarah11918@users.noreply.github.com>
sarah11918
left a comment
sarah11918
left a comment
There was a problem hiding this comment.
Approving for docs, and the docs PR is also approved! 🥳
4 participants
Changes
Adding the
ASTRO_DB_APP_TOKENsecret to the environment in a CD workflow for pushing Astro DB migrations to a remote server creates a security vulnerability for repos hosted on some platforms like GitHub. The issue is that you cannot selectively block PRs from forked repos to segregate trusted and untrusted contributions. Both will run in the established CI / CD workflows. When the CD job checks out such a forked repo, untrusted code then has access to theASTRO_DB_APP_TOKENsecret that is only needed by thenpm astro dbcommands. With the addition of a--db-app-tokenflag for theastro dbcommands, that secret can be securely passed to the executable.Testing
Added unit and integration tests for the changeset for happy path, error condition, and edge cases.
Docs
Docs updated in PR #12965