Harden manual store submission workflow#990
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughThis PR modifies the tagged-release GitHub Actions workflow. It removes the workflow-level GH_TOKEN env block and instead sets GH_TOKEN per-step for checkout, upload, and edit steps. It also conditionally sets persist-credentials on checkout and splits the single store-submission step into separate dry-run and push-triggered steps. ChangesRelease Workflow GH_TOKEN Scoping and Submission Split
Sequence Diagram(s)sequenceDiagram
participant Trigger as Workflow Trigger
participant Checkout as actions/checkout
participant SubmitDryRun as Submit stores dry run
participant SubmitPush as Submit stores
participant ReleaseScript as release:submit script
Trigger->>Checkout: run with persist-credentials based on push flag
alt non-push and submit_stores=true
Checkout->>SubmitDryRun: proceed to dry-run step
SubmitDryRun->>SubmitDryRun: validate inputs.dry_run == "true"
SubmitDryRun->>ReleaseScript: npm run release:submit -- --dry-run
else push event
Checkout->>SubmitPush: proceed to push step
SubmitPush->>ReleaseScript: npm run release:submit
end
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoHarden tagged-release workflow to prevent secret exposure on manual dispatch
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a3d0e2303d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| CHROME_CLIENT_ID: dry-run-chrome-client-id | ||
| CHROME_CLIENT_SECRET: dry-run-chrome-client-secret | ||
| CHROME_REFRESH_TOKEN: dry-run-chrome-refresh-token |
There was a problem hiding this comment.
Don't feed dummy credentials to dry-run submission
When this workflow is manually dispatched with submit_stores=true, these fake credentials make the dry run fail during store authentication rather than validating the release artifacts. I checked publish-browser-extension: its --dry-run option is documented as checking authentication, and its store submit paths fetch auth tokens/details before skipping upload, so npm run release:submit -- --dry-run will reject the dummy Chrome/Firefox/Edge values. If manual runs must avoid secrets, this step needs a non-auth preflight path instead of invoking the real dry-run submission with fake credentials.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR hardens the tagged-release GitHub Actions workflow to prevent credential exposure when collaborators manually trigger workflow_dispatch, while keeping real store submissions restricted to trusted tag-push runs.
Changes:
- Removed the workflow-wide
GH_TOKENand instead injectsGH_TOKENonly into the push-onlygh releasesteps. - Prevents credential persistence during manual runs by setting
actions/checkoutpersist-credentialsto only persist onpush. - Splits store submission into a manual-only dry-run step (with dummy store env vars and forced
--dry-run) and a push-only real submission step (withsecrets.*).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Motivation
Storing store credentials could allow collaborators who can dispatch workflows to use a protected branch to steal release keys.
Description
.github/workflows/tagged-release.ymlto remove the globalGH_TOKENand injectGH_TOKENonly into the push-only step that requiresgh release.persist-credentials: ${{ github.event_name == 'push' }}toactions/checkoutto prevent manually triggered runs from inheriting repository credentials.Submit stores dry runstep that only allows--dry-runand injects a set of dummy store environment variables; the actual submission is handled by the push-onlySubmit storesstep, which injects the realsecrets.*.scripts/submit-stores.mjs) to minimize risk with the smallest possible scope.Testing
npm test, and all tests passed.npm run pretty,npm run lint, andnpm run build; all commands completed successfully.ruby -e 'require "yaml"; YAML.load_file(".github/workflows/tagged-release.yml")'.build/chromiumcontains the main release files (manifest.json,background.js,content-script.js,popup.html, etc.).Codex Task
Summary by CodeRabbit