-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PM-7025] include check-run in workflows where secrets are used #9135
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9135 +/- ##
==========================================
- Coverage 27.76% 27.76% -0.01%
==========================================
Files 2421 2421
Lines 70098 70097 -1
Branches 13059 13059
==========================================
- Hits 19463 19462 -1
Misses 49123 49123
Partials 1512 1512 ☔ View full report in Codecov by Sentry. |
No New Or Fixed Issues Found |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR wouldn't be necessary as-is; when you look at all the other workflows in this repo it might be. I would like to see one PR for the entire repo, as is relevant.
.github/workflows/build-cli.yml
Outdated
@@ -27,12 +27,18 @@ on: | |||
- '.github/workflows/build-cli.yml' | |||
workflow_dispatch: | |||
inputs: {} | |||
pull_request_target: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ You have to replace the above pull_request_target
with this.
.github/workflows/build-cli.yml
Outdated
@@ -362,6 +368,7 @@ jobs: | |||
- cli | |||
- cli-windows | |||
- snap | |||
- check-run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ This is expanding the work surface but touches on something Oscar was bringing up -- needing secrets, and when. You'll see below that the secret reference is only relevant when on non-PR builds, so this check isn't even necessary.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, in that case we don't need check-run
for this one.
Type of change
GitHub workflows
Objective
As part of our organization-wide effort to secure bw code repos, a change to include
check-run
in workflows wheresecrets
are used is required.Code changes
Incremental change to existing workflows