fix(ci): tighten PR workflow permissions and secret access (v2.0 backport)#903
Merged
Conversation
…port) Backport of #901. Same security mitigations applied to the v2.0 pre-release staging branch. next-drupal.yml: - Switch from pull_request_target to pull_request - persist-credentials: false on checkout - permissions: contents: read - Gate Drupal secrets to push-to-v2.0 events only - Add concurrency + timeout-minutes release-pr.yml: - Restrict trigger to internal-PR labeled events - persist-credentials: false on checkout - setup-node@v4 registry-url + NODE_AUTH_TOKEN - Replace third-party comment action with gh CLI - permissions: contents: read, pull-requests: write - Add concurrency + timeout-minutes
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
… list The test utility module constructs a Drupal client at module load time, which throws when DRUPAL_CLIENT_ID and DRUPAL_CLIENT_SECRET are unset. Pass placeholder values on PR runs so unit tests (which mock fetch) can import the utils without crashing. Several additional test files exercise a live Drupal instance and fail when pointed at the placeholder DRUPAL_BASE_URL. Until the live dependency is removed, skip these on PR runs alongside crud-methods.
sean-e-dietrich
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backport of #901 to the
v2.0pre-release staging branch. Applies the same security mitigations tonext-drupal.ymlandrelease-pr.ymlso this branch's PR-triggered workflows have the same hardened defaults.next-drupal.ymlpull_request_targettopull_requestpersist-credentials: falseon checkoutpermissions: contents: readat workflow rootgithub.event_name == 'push'tov2.0crud-methods) and lift coverage threshold accordinglyconcurrencycancel-in-progress +timeout-minutes: 15v2.0(replaces stalemainreferences)release-pr.ymlpull_request: [labeled]head.repo.full_name == base.repo.full_namepersist-credentials: falseon checkoutsetup-node@v4registry-url+NODE_AUTH_TOKEN(replaces inline.npmrcecho)gh pr commentpermissions: contents: read, pull-requests: writeconcurrencycancel-in-progress +timeout-minutes: 15Test plan
next-drupal.yml(PR path, integration test skipped)release-pr.ymlvalidated on next experimental release attempt against this branchNotes
v2.0is the pre-release staging branch (where features merge before stable npm release) and serves docs from https://next-drupal.org/.