ci(security): Run the workflow on a protected environment#153
Conversation
chouetz
force-pushed
the
nschweitzer/protected_env
branch
from
4c234a5 to
81f5d5e
Compare
chouetz
force-pushed
the
nschweitzer/protected_env
branch
from
81f5d5e to
1238567
Compare
| macos-packaging-push: | ||
| name: Build macOS installer and sign/notarize artifacts (push) | ||
| if: github.event_name == 'push' |
There was a problem hiding this comment.
nit: I would like to make it clearer that this only runs on pushes to main (or to v* tags), instead of any pushes to the repo.
In the same vein, maybe naming it macos-packaging-withsign or macos-packaging-protected or something would make more sense - we don't really care why this workflow is triggered so much as what it does different compared to the "normal" macos-packaging job
On first look I was about to ask if this would also trigger on pushes to PR branches before checking the triggers at the top of the workflow file ^^'
There was a problem hiding this comment.
You are right, the name was badly chosen, will fix this
| apple-certificate: | ||
| description: Apple Developer ID Application Certificate | ||
| required: false | ||
| apple-private-key: | ||
| description: Apple Developer ID Application Private Key | ||
| required: false | ||
| apple-api-key: | ||
| description: Apple App Store Connect API Key | ||
| required: false |
There was a problem hiding this comment.
Do we need to pass these as inputs, can we not access the secrets directly from the action here ?
Or do you envision that we'll use this action on other repos, in which case more encapsulation is a good idea ?
There was a problem hiding this comment.
Reusability is a good question, as we are doing more or less the same in at least 3 different repositories. I could tell this is not really urgent and could be done later but it is a risk of failure (to do the change)...
There was a problem hiding this comment.
I'm not sure we can do differently, as we need to have the environment:name:main used to access the secret. So we really need to have 2 different jobs on the top level passing or not the credentials
2 participants
For security reasons, the secrets for Apple publication were moved on a protected environment.
We restrict the execution of the job to this environment to prevent secret exfiltration