Skip to content

CI/CDでデプロイできるようにする#8

Merged
sudame merged 5 commits intomainfrom
deploy-scripts
Mar 27, 2025
Merged

CI/CDでデプロイできるようにする#8
sudame merged 5 commits intomainfrom
deploy-scripts

Conversation

@sudame
Copy link
Copy Markdown
Collaborator

@sudame sudame commented Mar 27, 2025

GitHub上でリリースをした際、自動で npm にパッケージを公開するようにする。

Comment on lines +3 to +5
release:
types:
- published
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[確認メモ]
publicにする想定でみたとき、このワークフローをトリガーできるのはこのリポジトリのwrite権限以上を持つ人のみ
image
参考 https://docs.github.com/ja/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#permissions-for-each-role

Comment on lines +21 to +34
permissions:
contents: read
id-token: write
steps:
- run: 'echo "TODO: automate deployment"'
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
scope: '@chatwork'
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[確認メモ]
secretsの危険性として、pull request target を使ったワークフローで secrets を参照することができる。
そのため、攻撃者が任意のタイミングでワークフローが実行できる可能性がある。
また、pull request targetではワークフローを改ざんして実行はできないという制限がつくことで参照できる。

本件はreleaseで動作するワークフローなので、攻撃者によって参照する手段はいまのところなさそうである。

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[確認]
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

自分の方でも合わせて確認しましたが @eiel と同様の意見です。

Comment thread .github/workflows/deploy.yaml Outdated
Comment thread .github/workflows/deploy.yaml Outdated
Comment thread .github/workflows/deploy.yaml
Comment thread .github/workflows/deploy.yaml Outdated
Copy link
Copy Markdown
Member

@magcho magcho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@sudame sudame merged commit 9d3b874 into main Mar 27, 2025
3 checks passed
@sudame sudame deleted the deploy-scripts branch March 27, 2025 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants