27612896220
26%

Ran 16 Jun 2026 11:05AM UTC

Jobs 1

Files 20

Run time 1min

Badge

Embed ▾

Committed 16 Jun 2026 11:01AM UTC coverage: 25.961%. Remained the same

Build # 27612896220

Build Type

push

github

Committed by

web-flow

Commit Message

Add environment protection for secret access in upload-release-report workflow (#565)

## Description

Fixes a security finding: the `upload-release-report` job accessed the
`RELEASE_LOG_UPLOADER_SA` secret without being tied to a protected
GitHub environment, bypassing environment protection rules.

## Changes

Added `environment: ${{ vars.PROTECTED_ENVIRONMENT }}` to the
`upload-release-report` job. This gates access to the
`RELEASE_LOG_UPLOADER_SA` secret behind the configured environment's
protection rules (e.g. required reviewers, branch restrictions, wait
timers).

Using a repository variable for the environment name — rather than a
hardcoded string — keeps the workflow portable across repos that may use
different environment names. The `PROTECTED_ENVIRONMENT` repository
variable must be set in the repo settings.

## Related

Same fix applied in
[kyma-project/application-connector-manager#873](https://github.com/kyma-project/application-connector-manager/pull/873).

Coverage Stats

817 of 3147 relevant lines covered (25.96%)

0.29 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	27612896220.1	16 Jun 2026 11:05AM UTC	20	25.96	GitHub Action Run

kyma-project / compass-manager / 27612896220
26%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 27612896220

kyma-project / compass-manager / 27612896220 26%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 27612896220

kyma-project / compass-manager / 27612896220
26%

README BADGES
x