Skip to content

ops(ci): harden authorisation, migrate notify-slack action to TypeScript, and remove dead workflows#2878

Draft
mw-w wants to merge 1 commit into
mainfrom
security/harden-ci
Draft

ops(ci): harden authorisation, migrate notify-slack action to TypeScript, and remove dead workflows#2878
mw-w wants to merge 1 commit into
mainfrom
security/harden-ci

Conversation

@mw-w
Copy link
Copy Markdown
Contributor

@mw-w mw-w commented May 26, 2026

Summary

CI hardening as a prerequisite for the PAT migration. Replaces JSON-secret allowlists and repo-admin checks with GitHub Environment protection rules, adds missing actor gates to three prod CDN deploy workflows, migrates the Slack notify action to TypeScript, and removes dead workflows and scripts.

Detail and impact of the change

Added

  • GitHub Environment gates on all deployment and publishing workflows (npm-publish, npm-publish-major, game-bridge-publish, cdn-deploy-audience, cdn-deploy-pixel, cdn-deploy-passport)
  • sticky-comment composite action for posting updateable PR comments
  • dependabot.yml for GitHub Actions version tracking
  • flows.md documenting the new CI access control model and migration rationale with Mermaid diagrams

Changed

  • notify-slack-publish-status action rewritten in TypeScript with Rollup (node24, @actions/core@3, pnpm workspace isolation, ESM output)
  • publish.yaml: environment gate replaces admin check + JSON allowlist steps; id-token: write now also serves npm OIDC trusted publishing; secrets scoped to steps that need them
  • build-game-bridge.yaml: environment gate replaces SDK team membership check
  • pr.yaml func-tests job: 8 test secrets and 14 config vars moved from job-level env to step-level on the Run functional tests step only
  • deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml: AWS_REGION inlined into configure-aws-credentials step

Removed

  • publish-docs.yaml, publish-example-tutorials.yaml workflows
  • .github/scripts/ docs-related shell scripts
  • check-user-permission action (sole caller removed)
  • SDK_PUBLISH_MAJOR_VERSION_ACTORS and SDK_TEAM_MEMBERS secret references (both can now be removed)

Security

  • Actor gates now enforced by GitHub environments before the runner starts
  • Write-access collaborators can no longer trigger prod CDN/S3 deploys on dispatch without approval

Anything else worth calling out?

The six GitHub Environments (npm-publish, npm-publish-major, game-bridge-publish, cdn-deploy-audience, cdn-deploy-pixel, cdn-deploy-passport) must be created in GitHub Settings with the correct allowed actors before this branch is merged — the YAML references them and GitHub will block jobs until they exist. See flows.md for recommended membership and protection type per environment.

TS_IMMUTABLE_SDK_NPM_TOKEN, SDK_TEAM_MEMBERS, and SDK_PUBLISH_MAJOR_VERSION_ACTORS can be revoked from repo secrets after merge.

Follow up will remove TS_IMMUTABLE_SDK_GITHUB_TOKEN with short lived, least privilege scoped tokens

@mw-w
ci: harden CI authorization, migrate notify-slack action to TypeScrip…
34c3ceb 
…t, and remove dead workflows

Replace JSON-secret allowlists and repo-admin checks with GitHub Environment protection rules across all deployment and publishing workflows. Add missing actor gates to three prod CDN deploy workflows that were previously open to any write-access collaborator. Scope test secrets to the step that needs them and clean up dead workflows, scripts, and the check-user-permission action.

Authorization changes:
- publish.yaml: replace Check User Permission, Admin Permission Check, and Allowed Actors steps with `environment: npm-publish | npm-publish-major` dynamic expression; drop SDK_PUBLISH_MAJOR_VERSION_ACTORS from job env
- build-game-bridge.yaml: replace Check SDK Team Membership step with `environment: game-bridge-publish`; drop SDK_TEAM_MEMBERS from job env
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml, passport-sdk-sample-app-deployment.yaml: add missing environment gates (cdn-deploy-audience, cdn-deploy-pixel, cdn-deploy-passport)
- delete .github/actions/check-user-permission — sole caller removed

notify-slack-publish-status action:
- rewrite in TypeScript with Rollup bundler (ESM output, node24, @actions/core@3)
- add pnpm workspace isolation, eslint, prettier, tsconfig
- add explicit `webhook` input; move secrets to step-level with

Secret scoping:
- pr.yaml func-tests: move 8 test secrets and 14 config vars from job env to step env on the Run functional tests step; NX_CLOUD_ACCESS_TOKEN stays at job level
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml: inline AWS_REGION directly into configure-aws-credentials with: block, remove from job env

Dead code removed:
- publish-docs.yaml, publish-example-tutorials.yaml workflows
- .github/scripts/{check-docs-deployed,check-docs-version,process-tutorials,push-docs,update-docs-link}.sh
- notify-slack-publish-status/index.js (replaced by src/index.ts + dist/)

Other:
- pixel-bundle-size.yaml: fix contents:read accidentally placed inside env: block
- add dependabot.yml for GitHub Actions ecosystem
- add sticky-comment composite action
- add flows.md documenting environment gates, access control model, and migration rationale with Mermaid diagrams
@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented May 26, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 34c3ceb

Command Status Duration Result
nx run-many -p @imtbl/sdk,@imtbl/checkout-widge... ✅ Succeeded 1s View ↗
nx affected -t build,lint,test ✅ Succeeded <1s View ↗

☁️ Nx Cloud last updated this comment at 2026-05-26 06:48:48 UTC

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

✅ Audience Bundle Size — @imtbl/audience

Metric Size Delta vs main (8a49fc2)
Gzipped 18710 bytes (18.27 KB) 0 bytes
Raw (minified) 54679 bytes 0 bytes

Budget: 24.00 KB gzipped (warn at 20.00 KB)

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 26, 2026

Warning

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Please tag @prodsec or slack us at #ask-security if you need assitance.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @typescript-eslint/eslint-plugin is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: .github/actions/notify-slack-publish-status/pnpm-lock.yamlnpm/typescript-eslint@8.60.0npm/@typescript-eslint/eslint-plugin@8.60.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.60.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mw-w