Skip to content

Rework preview deployment workflows #472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Feb 11, 2025
Merged

Rework preview deployment workflows #472

merged 4 commits into from
Feb 11, 2025

Conversation

reakaleek
Copy link
Member

@reakaleek reakaleek commented Feb 11, 2025
edited
Loading

Context

After thinking through the current workflows related to preview builds, I learned that it's worse than using pull_request_target.

In the current way, the docs-deploy.yml workflow deploys every artifact it receives from the docs-build.yml workflow.

This means: A bad PR author can modify the docs-build.yml workflow in his own fork and deploy custom HTML pages with malicious JavaScript. (E.g. redirecting to malicious site)

Changes

This uses a single workflow for building and deploying the docs and utilizes the pull_request_target event.
Since the workflow is running in the context of the main branch, a PR author will not be able to modify the workflow.

@reakaleek reakaleek force-pushed the feature/preview-deploy-rework branch from 2c78a79 to 7c9d6ad Compare February 11, 2025 14:27
@reakaleek reakaleek added the automation packaging, ci/cd. label Feb 11, 2025
@reakaleek reakaleek requested a review from a team February 11, 2025 14:47
@reakaleek reakaleek marked this pull request as ready for review February 11, 2025 14:47
@reakaleek reakaleek mentioned this pull request Feb 11, 2025
Merged
@reakaleek reakaleek merged commit 5e7fdca into main Feb 11, 2025
4 of 5 checks passed
@reakaleek reakaleek deleted the feature/preview-deploy-rework branch February 11, 2025 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mpdreamz Mpdreamz Mpdreamz approved these changes

Assignees

@reakaleek reakaleek

Labels
automation packaging, ci/cd.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@reakaleek @Mpdreamz @elasticdocs