supabase / auth-js
81%

DEFAULT BRANCH: master
Repo Added
Files 16
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

LAST BUILD ON BRANCH master
branch: master
CHANGE BRANCH
x

coverage: 80.811%. Remained the same
17320322015

push

github

web-flow 
chore: secure-proof workflows (#1105)

## What kind of change does this PR introduce?

Proactive security hardening - implementing defense-in-depth for our
preview release workflow.

## What is the current behavior?

The current `preview-release.yml` workflow is **secure in practice** but
uses a pattern that could be theoretically vulnerable if our existing
safeguards were bypassed.

Current workflow security analysis:
- ✅ **Protected by maintainer-only label requirement** (`trigger:
preview`)
- ✅ **No code injection vulnerabilities** (no direct interpolation of
user input)
- ✅ **Limited permission scope** (only `pull-requests: write`)
- ⚠️ **Theoretical risk**: Uses `pull_request_target` while checking out
PR head code
- ⚠️ **Pattern concern**: Executes `npm ci` and `npm run build` from
forks in a context with secrets

**Important**: Our workflow was never vulnerable to the attacks seen in
the [recent
incident](https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c)
due to our security controls. However, in light of recent supply chain
attacks, we're implementing additional layers of security.

## What is the new behavior?

Implementing a **zero-trust architecture** that makes exploitation
impossible even if all other safeguards fail.

### New Three-Workflow Architecture:
1. **`preview-build.yml`** - Executes untrusted fork code in a
completely isolated environment (no secrets, minimal permissions)
2. **`trigger-tests.yml`** - Orchestrates testing using only artifacts
(never touches fork code, has access to secrets)
3. **`preview-comment.yml`** - Updates PR status (read-only operations
with artifacts)

### Security Improvements:

| Security Layer | Previous (Secure) | New (Defense-in-Depth) |
|---------------|-------------------|------------------------|
| **Maintainer Control** | ✅ Required label | ✅ Required label |
| **Code Injection Protection** | ✅ No interpolation | ✅ No
interpolation |
| **Fork Code Isolation** | ⚠️ Runs with secre... (continued)

1080 of 1441 branches covered (74.95%)

Branch coverage included in aggregate %.

1451 of 1691 relevant lines covered (85.81%)

172.74 hits per line

Relevant lines Covered
1691 RELEVANT LINES 1451 COVERED LINES
172.74 HITS PER LINE
Source Files on master

Recent builds

Builds Branch Commit Type Ran Committer Via Coverage
17320322015 master chore: secure-proof workflows (#1105) ## What kind of change does this PR introduce? Proactive security hardening - implementing defense-in-depth for our preview release workflow. ## What is the current behavior? The current `preview-release.y... push web-flow github
80.81
17209653583 master chore: fix preview release to use correct target (#1104) ## What kind of change does this PR introduce? Change event trigger from `pull_request` to `pull_request_target`. ## What is the current behavior? Event for triggering a PR release is `p... push web-flow github
80.81
17204192423 master chore: added more tests (#1103) ## What kind of change does this PR introduce? Achiving 80% coverage after this PR push web-flow github
80.81
17079322891 master chore: more tests (#1101) ## What kind of change does this PR introduce? PR is based on https://github.com/supabase/auth-js/pull/1095. Please, merge the previous one first. Increased coverage push web-flow github
77.23
17038881312 master chore: added more tests (#1095) ## What kind of change does this PR introduce? added more tests push web-flow github
72.16
16943763249 master chore: trigger action from forks (#1099) ## What kind of change does this PR introduce? Using `pull_request_target` to access secrets when PRs come from forks. This is secure, since we control which PRs trigger the preview. ## What is the curre... push web-flow github
71.1
16941082354 master chore: trigger supabase-js tests (#1098) ## What kind of change does this PR introduce? CI/CD enhancement - Improves the preview release workflow and cross-repository testing integration. ## What is the current behavior? - Preview releases are... push web-flow github
71.1
16913725261 master chore: add preview release (#1097) ## What kind of change does this PR introduce? Infrastructure improvement - adds a preview release workflow for easier testing of changes. ## What is the current behavior? Contributors and maintainers need to... push web-flow github
71.1
16474912074 master feat: add sign in with ethereum to `signInWithWeb3` (#1082) ## What kind of change does this PR introduce? This PR adds SIWE (Sign-In-With-Ethereum) support to auth-js, related to [this PR on /auth](https://github.com/supabase/auth/pull/2069) #... push web-flow github
71.1
16344332478 master chore(master): release 2.71.1 (#1085) :robot: I have created a release *beep* *boop* --- ## [2.71.1](https://github.com/supabase/auth-js/compare/v2.71.0...v2.71.1) (2025-07-17) ### Bug Fixes * use JSON-based deep clone instead of structuredC... push web-flow github
74.8
See All Builds (199)