go-vela
enhance(repo/secret): differentiate PRs from contributors vs forks
I'll point to this community proposal from several months ago as a starting place for this PR.
Rather than delving into pipeline signing or RBAC/ACL methods for protecting users from secret exposure via PR builds, I think a simpler approach of differentiating PRs from contributors and PRs from forks would be very helpful.
GitHub sends, within their pull_request payload, a field that tells us whether the HEAD is a fork or not. We can use this information to scope jobs and secret access.
Note: breaking change would be the addition of a column in the repos table, which is set to false for all repos currently in the database. Users who utilize forks for contribution will have to manually check Pull Request Forks as an allowed event for their repo. Further, any ruleset that utilizes pull_request as an event type will not work with forks. Instead, users would have to use pull_request_fork in their ruleset.
SERVER DRAFT PR: https://github.com/go-vela/server/pull/727
Codecov Report
Merging #271 (2665f9b) into main (0da8c8b) will increase coverage by
0.01%. The diff coverage is100.00%.
@@ Coverage Diff @@
## main #271 +/- ##
==========================================
+ Coverage 97.00% 97.01% +0.01%
==========================================
Files 59 59
Lines 6545 6569 +24
==========================================
+ Hits 6349 6373 +24
Misses 145 145
Partials 51 51
| Impacted Files | Coverage Δ | |
|---|---|---|
| database/repo.go | 98.27% <100.00%> (+0.02%) |
:arrow_up: |
| library/repo.go | 100.00% <100.00%> (ø) |
|
| library/secret.go | 100.00% <100.00%> (ø) |
|
| yaml/ruleset.go | 100.00% <100.00%> (ø) |
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}