ops(ci): harden authorisation, migrate notify-slack action to TypeScript, and remove dead workflows#2878
Draft
mw-w wants to merge 1 commit into
Draft
ops(ci): harden authorisation, migrate notify-slack action to TypeScript, and remove dead workflows#2878mw-w wants to merge 1 commit into
mw-w wants to merge 1 commit into
Conversation
|
View your CI Pipeline Execution ↗ for commit 8139006
☁️ Nx Cloud last updated this comment at |
✅ Audience Bundle Size — @imtbl/audience
Budget: 24.00 KB gzipped (warn at 20.00 KB) |
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. |
…t, and remove dead workflows
Replace JSON-secret allowlists and repo-admin checks with GitHub Environment protection rules across all deployment and publishing workflows. Add missing actor gates to three prod CDN deploy workflows that were previously open to any write-access collaborator. Scope test secrets to the step that needs them and clean up dead workflows, scripts, and the check-user-permission action.
Authorization changes:
- publish.yaml: replace Check User Permission, Admin Permission Check, and Allowed Actors steps with `environment: npm-publish | npm-publish-major` dynamic expression; drop SDK_PUBLISH_MAJOR_VERSION_ACTORS from job env
- build-game-bridge.yaml: replace Check SDK Team Membership with `environment: game-bridge-publish`; replace TS_IMMUTABLE_SDK_GITHUB_TOKEN secret with the github-token OIDC action in create-unity-pr and create-unreal-pr (id-token: write, scoped installation token for checkout and gh pr create)
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml, passport-sdk-sample-app-deployment.yaml: add missing environment gates (cdn-deploy-audience, cdn-deploy-pixel, cdn-deploy-passport)
- delete .github/actions/check-user-permission — sole caller removed
github-token action (new):
- TypeScript action backed by the Immutable Token Service
- inputs: repositories (newline-separated owner/repo), permissions (key: value)
- output: scoped installation token; caller must set id-token: write
notify-slack-publish-status action:
- rewrite in TypeScript with Rollup bundler (ESM output, node24, @actions/core@3)
- add pnpm workspace isolation, eslint, prettier, tsconfig
- add explicit `webhook` input; move secrets to step-level
Secret scoping:
- pr.yaml func-tests: move 8 test secrets and 14 config vars from job env to step env on the Run functional tests step; NX_CLOUD_ACCESS_TOKEN stays at job level
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml: inline AWS_REGION directly into configure-aws-credentials with: block, remove from job env
Dead code removed:
- publish-docs.yaml, publish-example-tutorials.yaml workflows
- .github/scripts/{check-docs-deployed,check-docs-version,process-tutorials,push-docs,update-docs-link}.sh
- notify-slack-publish-status/index.js (replaced by src/index.ts + dist/)
Other:
- pixel-bundle-size.yaml: fix contents:read accidentally placed inside env: block
- add dependabot.yml for GitHub Actions ecosystem
- add sticky-comment composite action
- add flows.md documenting environment gates, access control model, and migration rationale with Mermaid diagrams
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI hardening as a prerequisite for the PAT migration. Replaces JSON-secret allowlists and repo-admin checks with GitHub Environment protection rules, adds missing actor gates to three prod CDN deploy workflows, migrates the Slack notify action to TypeScript, and removes dead workflows and scripts.
Detail and impact of the change
Added
npm-publish,npm-publish-major,game-bridge-publish,cdn-deploy-audience,cdn-deploy-pixel,cdn-deploy-passport)sticky-commentcomposite action for posting updateable PR commentsdependabot.ymlfor GitHub Actions version trackingflows.mddocumenting the new CI access control model and migration rationale with Mermaid diagramsChanged
notify-slack-publish-statusaction rewritten in TypeScript with Rollup (node24,@actions/core@3, pnpm workspace isolation, ESM output)publish.yaml: environment gate replaces admin check + JSON allowlist steps;id-token: writenow also serves npm OIDC trusted publishing; secrets scoped to steps that need thembuild-game-bridge.yaml: environment gate replaces SDK team membership checkpr.yamlfunc-tests job: 8 test secrets and 14 config vars moved from job-level env to step-level on the Run functional tests step onlydeploy-audience-cdn.yaml,deploy-pixel-cdn.yaml:AWS_REGIONinlined intoconfigure-aws-credentialsstepRemoved
publish-docs.yaml,publish-example-tutorials.yamlworkflows.github/scripts/docs-related shell scriptscheck-user-permissionaction (sole caller removed)SDK_PUBLISH_MAJOR_VERSION_ACTORSandSDK_TEAM_MEMBERSsecret references (both can now be removed)Security
Anything else worth calling out?
The six GitHub Environments (
npm-publish,npm-publish-major,game-bridge-publish,cdn-deploy-audience,cdn-deploy-pixel,cdn-deploy-passport) must be created in GitHub Settings with the correct allowed actors before this branch is merged — the YAML references them and GitHub will block jobs until they exist. Seeflows.mdfor recommended membership and protection type per environment.TS_IMMUTABLE_SDK_NPM_TOKEN,SDK_TEAM_MEMBERS, andSDK_PUBLISH_MAJOR_VERSION_ACTORScan be revoked from repo secrets after merge.Follow up will remove
TS_IMMUTABLE_SDK_GITHUB_TOKENwith short lived, least privilege scoped tokens