Skip to content

feat: sanitize input tokens #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: sanitize input tokens #94

wants to merge 3 commits into from

Conversation

ZachGoldberg
Copy link
Contributor

@ZachGoldberg ZachGoldberg commented Nov 11, 2024
edited
Loading

TODO: Test it

odgrim
odgrim previously approved these changes Nov 11, 2024
View reviewed changes
yhakbar
yhakbar requested changes Nov 11, 2024
View reviewed changes
ZachGoldberg
ZachGoldberg commented Nov 11, 2024
View reviewed changes
.github/workflows/pipelines-root.yml Outdated
id: secrets
shell: bash
run: |
PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to actually reference the secret, its not in env yet.

@Resonance1584
Copy link
Contributor

Wouldn't this be simpler in pipelines-credentials? gruntwork-io/pipelines-credentials#8

@ZachGoldberg
Copy link
Contributor Author

Wouldn't this be simpler in pipelines-credentials? gruntwork-io/pipelines-credentials#8

No argument from me. We'd have to do all the tokens, and still update the references in primary workflows, but it would avoid adding another step to workflows.

ZachGoldberg
ZachGoldberg commented Nov 12, 2024
View reviewed changes
.github/workflows/pipelines-root.yml
with:
IS_ROOT: "true"
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
PIPELINES_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Resonance1584 can you confirm this change makes sense? This is the only case where we were reading a secret directly instead of reading from the output of a credentials step

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No this doesn't make sense without reworking preflight https://github.com/gruntwork-io/pipelines-actions/blob/main/.github/actions/pipelines-preflight-action/scripts/check-token-permissions.sh#L94-L118

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Resonance1584 Resonance1584 Resonance1584 left review comments

@yhakbar yhakbar yhakbar requested changes

@odgrim odgrim odgrim left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ZachGoldberg @Resonance1584 @odgrim @yhakbar