Hardcode REMOTE_HTTP secret in PR workflows #262
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The REMOTE_HTTP secret was introduced to make the remote server
configurable without changing the workflow code in #218. For security
reasons, PR workflows do not have access to secret variables (this is an
oversight of the aforementioned PR).
We could switch the PR workflow to trigger on the
pull_request_target
event which allows access to secrets, but that would enable external
attackers to exfiltrate our secrets (see
https://securitylab.github.com/research/github-actions-preventing-pwn-requests).
The correct solution would be for GitHub to provide a mechanism for
marking secrets as non-sensitive (which is the case of REMOTE_HTTP). For
now, let’s just hardcode that secret in PR workflows.