Remove SF_PUSH_KEY from GitHub actions#3760
Conversation
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: true |
There was a problem hiding this comment.
🚩 GITHUB_TOKEN vs SSH deploy key: CI triggers on created PRs
With the SSH deploy key removed, the workflow now relies on GITHUB_TOKEN for authentication. A well-known difference is that PRs created using GITHUB_TOKEN do not trigger subsequent GitHub Actions workflows (e.g., CI checks), whereas PRs created via a deploy key or PAT do. However, since the other analogous workflows (update-font-list.yml:17-19, update-npm-audit.yml:17-19) already operate without an SSH key and presumably work fine, this is likely an accepted tradeoff in this repository. If CI checks running automatically on the created i18n/update PR branch are important, this could be a concern.
(Refers to lines 17-20)
Was this helpful? React with 👍 or 👎 to provide feedback.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3760 +/- ##
=======================================
Coverage 81.29% 81.29%
=======================================
Files 621 621
Lines 39114 39114
Branches 6358 6358
=======================================
Hits 31798 31798
Misses 6344 6344
Partials 972 972 ☔ View full report in Codecov by Sentry. |
RaymondLuong3
left a comment
RaymondLuong3
left a comment
There was a problem hiding this comment.
Thanks for the explanation. I approve. I'll let you merge this so that you remember to delete the secret from the repo as you mentioned.
@RaymondLuong3 reviewed 1 file and all commit messages, and made 1 comment.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on Nateowami).
Nateowami
force-pushed
the
actions/remove-sf-push-key
branch
from
3a53ea7 to
b655a34
Compare
|
@RaymondLuong3 Thanks; that was smart thinking. I've deleted the secret and run the workflow to make sure it is still functional. |
2 participants
When a GitHub action creates a PR, GitHub actions don't run on that PR, because GitHub tries to prevent that type of thing (probably in order to prevent infinite actions, and/or security implications).
A workaround for that is to give an action credentials to act on behalf of a user. I attempted to do that when setting up the workflows that open PRs by using an SSH key as the credential when pushing changes, as this is one of the documented methods in the peter-evans/create-pull-request repo.
Unfortunately this was never successful, and I later discovered that closing and reopening the PR was enough to trigger the workflows.
This PR removes an unneeded secret and brings it in line with our other PR-creating workflows. Once merged, I intend to delete the secret from the repo, so no actions can access it.
This change is