Move Transifex steps to separate workflow triggered by workflow_run #2899
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Secure Transifex Integration by Using
workflow_run
TriggerThis pull request moves the Transifex synchronization steps from the main build workflow (
build.yml
) to a separate workflow file, ensuring secure access to secrets and enhancing the security of our GitHub Actions workflows.Background
Previously, the Transifex steps were included in the main build workflow triggered by
pull_request
events. However, workflows triggered bypull_request
do not have access to secrets when the pull request originates from a forked repository. This limitation prevented the Transifex action from running successfully, as it requires access to theTX_TOKEN
secret.Using
pull_request_target
could have granted access to secrets, but it poses significant security risks. According to GitHub's security guidance, workflows triggered bypull_request_target
can be exploited if untrusted code is executed, potentially exposing secrets or compromising the repository.Solution
To address this issue securely, I have:
sync_transifex.yml
).workflow_run
events when the main build workflow (Build Bisq 2
) completes successfully.main
branch, verifying that the pull request has been merged before running the Transifex steps.By doing so, the Transifex workflow has access to the necessary secrets without exposing them to untrusted pull request code.
Security Considerations
This approach aligns with best practices recommended by GitHub to prevent potential security vulnerabilities:
pull_request_target
for executing untrusted code with access to secrets.workflow_run
after merging intomain
.For more details on the security implications, please refer to GitHub's article on Keeping your GitHub Actions and workflows secure.