Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keep publish secrets scoped to specific steps #92

Merged
merged 6 commits into from
Jan 23, 2022
Merged

Keep publish secrets scoped to specific steps #92

merged 6 commits into from
Jan 23, 2022

Conversation

armanbilge
Copy link
Member

@armanbilge armanbilge commented Jan 23, 2022
edited
Loading

Currently, they are available in the entire workflow. This adds a new setting githubWorkflowPublishEnv that allows us to scope these secrets to only the publish job which should be the only place they are used.

Technically a breaking change if someone was relying on the old global scoping.

@armanbilge
Copy link
Member Author

Actually, we can do even better here and keep them scoped to the specific steps maybe.

rossabaker
rossabaker approved these changes Jan 23, 2022
View reviewed changes
Copy link
Member

@rossabaker rossabaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't reduce the malicious threat vector much, but it reduces the stupid threat vector, and that's a good thing.

@armanbilge armanbilge changed the title Keep publish secrets scoped to publish job Keep publish secrets scoped to specific steps Jan 23, 2022
@armanbilge armanbilge closed this Jan 23, 2022
@armanbilge armanbilge reopened this Jan 23, 2022
@armanbilge
Copy link
Member Author

Huh. I must have broke the workflows?

armanbilge
armanbilge commented Jan 23, 2022
View reviewed changes
.github/workflows/ci.yml Outdated
@@ -132,17 +128,26 @@ jobs:
rm targets.tar

- name: Import signing key
if: env.PGP_SECRET != '' && env.PGP_PASSPHRASE == ''
if: secrets.PGP_SECRET != '' && secrets.PGP_PASSPHRASE == ''
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secrets can't be used in conditionals. I'm not sure if we can use env here if we only set it for this step (not sure what happens first).

@armanbilge
Copy link
Member Author

Not 100% convinced but let's see what happens on main.

@armanbilge armanbilge merged commit 94e52ef into typelevel:main Jan 23, 2022
@armanbilge armanbilge mentioned this pull request Jan 23, 2022
Merged
@armanbilge armanbilge mentioned this pull request Mar 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rossabaker rossabaker rossabaker approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@armanbilge @rossabaker