ops(ci): harden authorisation, migrate notify-slack action to TypeScript, and remove dead workflows#2878
ops(ci): harden authorisation, migrate notify-slack action to TypeScript, and remove dead workflows#2878mw-w wants to merge 2 commits into
Conversation
|
View your CI Pipeline Execution ↗ for commit 54aeade
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗ ☁️ Nx Cloud last updated this comment at |
✅ Audience Bundle Size — @imtbl/audience
Budget: 24.00 KB gzipped (warn at 20.00 KB) |
|
Warning According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub. Please tag @prodsec or slack us at #ask-security if you need assitance.
|
… tagging, and migrate deploy workflows
Replace JSON-secret allowlists and repo-admin checks with GitHub Environment protection rules across all deployment and publishing workflows. Add missing actor gates to three prod CDN deploy workflows that were previously open to any write-access collaborator. Scope test secrets to the step that needs them and clean up dead workflows, scripts, and the check-user-permission action.
Authorization changes:
- publish.yaml: replace Check User Permission, Admin Permission Check, and Allowed Actors steps with `environment: npm-publish`; collapse npm-publish and npm-publish-major into a single environment — npm Trusted Publisher only accepts one environment per package so both publish paths must share one; drop SDK_PUBLISH_MAJOR_VERSION_ACTORS from job env
- build-game-bridge.yaml: replace Check SDK Team Membership with `environment: npm-publish`; replace TS_IMMUTABLE_SDK_GITHUB_TOKEN secret with the github-token OIDC action in create-unity-pr and create-unreal-pr (id-token: write, scoped installation token for checkout and gh pr create)
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml, passport-sdk-sample-app-deployment.yaml: add missing environment gates; consolidate cdn-deploy-audience, cdn-deploy-pixel, and cdn-deploy-passport into a single cdn-deploy environment gated by ped-stream-blockchain-services-list
- delete .github/actions/check-user-permission — sole caller removed
github-token action (new):
- TypeScript action backed by the Immutable Token Service
- inputs: repositories (newline-separated owner/repo), permissions (key: value)
- output: scoped installation token; caller must set id-token: write
notify-slack-publish-status action:
- rewrite in TypeScript with Rollup bundler (ESM output, node24, @actions/core@3)
- add pnpm workspace isolation, eslint, prettier, tsconfig
- add explicit `webhook` input; move secrets to step-level
Secret scoping:
- pr.yaml func-tests: move 8 test secrets and 14 config vars from job env to step env on the Run functional tests step; NX_CLOUD_ACCESS_TOKEN stays at job level
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml: inline AWS_REGION directly into configure-aws-credentials with: block, remove from job env
build-game-bridge.yaml artifact passing:
- replace actions/cache save+restore pattern with actions/upload-artifact (id: upload-artifact) in build-game-bridge and actions/download-artifact by artifact-id in create-unity-pr and create-unreal-pr; cache is not guaranteed for the workflow run lifetime whereas upload/download is
- attest build artifacts (unity/index.html, unreal/index.js) with actions/attest after build and before upload; build-game-bridge job gains id-token: write and attestations: write
- disable pnpm store cache (enable-cache: "false") in all three jobs to match publish workflow
Prerelease tagging fix (publish.yaml):
- move Tag Git Pre-Release step to after Release to NPM; previously tagging before publish left an orphaned git tag whenever the publish failed, causing subsequent runs to compute the same version and collide on the tag
- condition the tag step on steps.npm_release.conclusion == 'success' && env.DRY_RUN == 'false'; dry-run publishes do not write package.json versions to disk so jq reads the stale version and collides with the tag from the prior real publish
Disable pnpm cache in deploy workflows:
- deploy-audience-cdn.yaml, deploy-pixel-cdn.yaml, passport-sdk-sample-app-deployment.yaml, build-game-bridge.yaml: pass enable-cache: "false" to the setup action; production artifact builds use a clean install to avoid stale cached dependencies affecting deployed output
Dead code removed:
- publish-docs.yaml, publish-example-tutorials.yaml workflows
- .github/scripts/{check-docs-deployed,check-docs-version,process-tutorials,push-docs,update-docs-link}.sh
- notify-slack-publish-status/index.js (replaced by src/index.ts + dist/)
Other:
- pixel-bundle-size.yaml: fix contents:read accidentally placed inside env: block
- add dependabot.yml for GitHub Actions ecosystem
- add sticky-comment composite action
- add flows.md documenting environment gates, access control model, and Mermaid diagrams for all workflow trigger paths
github-merge-queue
Bot
removed this pull request from the merge queue due to no response for status checks
… main publish.yaml: remove "Get GitHub Release Name and URL" step which had an inverted condition — contains(env.RELEASE_TYPE, 'release') matched 'prerelease' but not 'patch'/'minor'/'major', so Slack notifications for public releases always received an empty version. Remove the unconditional sleep 30 that preceded it. Add a single "Read SDK version" step after the version bump that outputs SDK_VERSION from sdk/package.json once, passed to downstream steps via env blocks, replacing five repeated jq subprocess calls. pr.yaml: add push to main trigger to populate the playwright browser cache after each merge so merge queue runs hit it rather than cold-installing. Add timeout-minutes: 15 on the Setup playwright step to prevent indefinite hangs.
4 participants
Summary
CI hardening as a prerequisite for the PAT migration. Replaces JSON-secret allowlists and repo-admin checks with GitHub Environment protection rules, adds missing actor gates to three prod CDN deploy workflows, migrates the Slack notify action to TypeScript, and removes dead workflows and scripts.
Detail and impact of the change
Added
npm-publish,cdn-deploy)sticky-commentcomposite action for posting updateable PR commentsdependabot.ymlfor GitHub Actions version trackingflows.mddocumenting the new CI access control model and migration rationale with Mermaid diagramsChanged
notify-slack-publish-statusaction rewritten in TypeScript with Rollup (node24,@actions/core@3, pnpm workspace isolation, ESM output)publish.yaml: environment gate replaces admin check + JSON allowlist steps;id-token: writenow also serves npm OIDC trusted publishing; secrets scoped to steps that need thembuild-game-bridge.yaml: environment gate replaces SDK team membership checkpr.yamlfunc-tests job: 8 test secrets and 14 config vars moved from job-level env to step-level on the Run functional tests step onlydeploy-audience-cdn.yaml,deploy-pixel-cdn.yaml:AWS_REGIONinlined intoconfigure-aws-credentialssteppublish.yaml: use upload and download action instead of cache between workflow jobsbuild-game-bridge.yaml: attest all built artifactpublish.yaml: tag git pre-release now runs after release to NPM and is conditioned on the publish step succeeding and DRY_RUN being false.Removed
publish-docs.yaml,publish-example-tutorials.yamlworkflows.github/scripts/docs-related shell scriptscheck-user-permissionaction (sole caller removed)SDK_PUBLISH_MAJOR_VERSION_ACTORSandSDK_TEAM_MEMBERSsecret references (both can now be removed)Security
Anything else worth calling out?
The GitHub Environments (
npm-publish,cdn-deploy) must be created in GitHub Settings with the correct allowed actors before this branch is merged — the YAML references them and GitHub will block jobs until they exist. Seeflows.mdfor recommended membership and protection type per environment.TS_IMMUTABLE_SDK_NPM_TOKEN,SDK_TEAM_MEMBERS, andSDK_PUBLISH_MAJOR_VERSION_ACTORScan be revoked from repo secrets after merge.Follow up will remove
TS_IMMUTABLE_SDK_GITHUB_TOKENwith short lived, least privilege scoped tokens