Skip to content

fix(ci): tighten PR workflow permissions and secret access#901

Merged
robdecker merged 3 commits into
mainfrom
fix/ci-harden-pr-workflows
May 11, 2026
Merged

fix(ci): tighten PR workflow permissions and secret access#901
robdecker merged 3 commits into
mainfrom
fix/ci-harden-pr-workflows

Conversation

@robdecker
Copy link
Copy Markdown
Member

@robdecker robdecker commented May 8, 2026

Summary

Hardens the two PR-triggered workflows to apply least-privilege defaults and reduce the blast radius of any future malicious PR.

next-drupal.yml

  • Switch from pull_request_target to pull_request
  • persist-credentials: false on checkout
  • permissions: contents: read at workflow root
  • Drupal secrets only loaded when github.event_name == 'push' (i.e., main)
  • PR runs skip the integration test (crud-methods) and lift coverage threshold accordingly
  • Add concurrency cancel-in-progress and timeout-minutes: 15

release-pr.yml

  • Trigger restricted to pull_request: [labeled]
  • Internal-PR guard: head.repo.full_name == base.repo.full_name
  • persist-credentials: false on checkout
  • setup-node@v4 registry-url + NODE_AUTH_TOKEN (replaces inline .npmrc echo)
  • Replace third-party comment action with built-in gh pr comment
  • permissions: contents: read, pull-requests: write
  • Add concurrency cancel-in-progress and timeout-minutes: 15

Test plan

  • CI runs on this PR validate the new next-drupal.yml (PR path)
  • Push-to-main path of next-drupal.yml runs full test suite with Drupal secrets after merge
  • release-pr.yml validated on next experimental release attempt (first opportunity to exercise setup-node + NODE_AUTH_TOKEN path)

Follow-ups (separate PRs)

  • npm OIDC trusted publishing (eliminates NPM_TOKEN)
  • SHA-pin third-party actions
  • Branch protection / repo security settings hardening

@robdecker
fix(ci): tighten PR workflow permissions and secret access
d9e9faf 
next-drupal.yml:
- Switch from pull_request_target to pull_request
- persist-credentials: false on checkout
- permissions: contents: read
- Gate Drupal secrets to push-to-main events only
- Add concurrency + timeout-minutes

release-pr.yml:
- Restrict trigger to internal-PR labeled events
- persist-credentials: false on checkout
- setup-node@v4 registry-url + NODE_AUTH_TOKEN
- Replace third-party comment action with gh CLI
- permissions: contents: read, pull-requests: write
- Add concurrency + timeout-minutes
@vercel
Copy link
Copy Markdown

vercel Bot commented May 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
next-drupal-next Ready Ready Preview, Comment May 8, 2026 11:45pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
next-drupal Ignored Ignored May 8, 2026 11:45pm
next-drupal-v1-6 Ignored Ignored May 8, 2026 11:45pm

Request Review

This was referenced May 8, 2026
Merged
Merged
@robdecker
fix(ci): supply placeholder Drupal env vars for PR test runs
b58a325 
The test utility module constructs a Drupal client at module load
time, which throws when DRUPAL_CLIENT_ID and DRUPAL_CLIENT_SECRET
are unset. Pass placeholder values on PR runs so unit tests
(which mock fetch) can import the utils without crashing.
@robdecker
fix(ci): expand PR test ignore list for live-Drupal-dependent suites
89998ac 
Several additional test files exercise a live Drupal instance and
fail when pointed at the placeholder DRUPAL_BASE_URL. Until the live
dependency is removed (see .claude/plans/remove-live-drupal-from-tests.md),
skip these on PR runs alongside crud-methods.
@robdecker robdecker merged commit 269e34f into main May 11, 2026
11 checks passed
@robdecker robdecker deleted the fix/ci-harden-pr-workflows branch May 11, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sean-e-dietrich sean-e-dietrich sean-e-dietrich approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@robdecker @sean-e-dietrich