supabase / auth-js / 17320322015 / 1
81%
master: 81%

DEFAULT BRANCH: master
Ran
Files 16
Run time 0s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 80.811%. Remained the same
17320322015.1

push

github

web-flow 
chore: secure-proof workflows (#1105)

## What kind of change does this PR introduce?

Proactive security hardening - implementing defense-in-depth for our
preview release workflow.

## What is the current behavior?

The current `preview-release.yml` workflow is **secure in practice** but
uses a pattern that could be theoretically vulnerable if our existing
safeguards were bypassed.

Current workflow security analysis:
- ✅ **Protected by maintainer-only label requirement** (`trigger:
preview`)
- ✅ **No code injection vulnerabilities** (no direct interpolation of
user input)
- ✅ **Limited permission scope** (only `pull-requests: write`)
- ⚠️ **Theoretical risk**: Uses `pull_request_target` while checking out
PR head code
- ⚠️ **Pattern concern**: Executes `npm ci` and `npm run build` from
forks in a context with secrets

**Important**: Our workflow was never vulnerable to the attacks seen in
the [recent
incident](https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c)
due to our security controls. However, in light of recent supply chain
attacks, we're implementing additional layers of security.

## What is the new behavior?

Implementing a **zero-trust architecture** that makes exploitation
impossible even if all other safeguards fail.

### New Three-Workflow Architecture:
1. **`preview-build.yml`** - Executes untrusted fork code in a
completely isolated environment (no secrets, minimal permissions)
2. **`trigger-tests.yml`** - Orchestrates testing using only artifacts
(never touches fork code, has access to secrets)
3. **`preview-comment.yml`** - Updates PR status (read-only operations
with artifacts)

### Security Improvements:

| Security Layer | Previous (Secure) | New (Defense-in-Depth) |
|---------------|-------------------|------------------------|
| **Maintainer Control** | ✅ Required label | ✅ Required label |
| **Code Injection Protection** | ✅ No interpolation | ✅ No
interpolation |
| **Fork Code Isolation** | ⚠️ Runs with secre... (continued)

1080 of 1441 branches covered (74.95%)

Branch coverage included in aggregate %.

1451 of 1691 relevant lines covered (85.81%)

92.92 hits per line

Source Files on job 17320322015.1