Move Transifex steps to separate workflow triggered by workflow_run #2899
+51
−21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…or secure secrets access
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Secure Transifex Integration by Using
workflow_runTriggerThis pull request moves the Transifex synchronization steps from the main build workflow (
build.yml) to a separate workflow file, ensuring secure access to secrets and enhancing the security of our GitHub Actions workflows.Background
Previously, the Transifex steps were included in the main build workflow triggered by
pull_requestevents. However, workflows triggered bypull_requestdo not have access to secrets when the pull request originates from a forked repository. This limitation prevented the Transifex action from running successfully, as it requires access to theTX_TOKENsecret.Using
pull_request_targetcould have granted access to secrets, but it poses significant security risks. According to GitHub's security guidance, workflows triggered bypull_request_targetcan be exploited if untrusted code is executed, potentially exposing secrets or compromising the repository.Solution
To address this issue securely, I have:
sync_transifex.yml).workflow_runevents when the main build workflow (Build Bisq 2) completes successfully.mainbranch, verifying that the pull request has been merged before running the Transifex steps.By doing so, the Transifex workflow has access to the necessary secrets without exposing them to untrusted pull request code.
Security Considerations
This approach aligns with best practices recommended by GitHub to prevent potential security vulnerabilities:
pull_request_targetfor executing untrusted code with access to secrets.workflow_runafter merging intomain.For more details on the security implications, please refer to GitHub's article on Keeping your GitHub Actions and workflows secure.