Will there be a way to create trusted actions? Actions can be in other repositories and version locked and therefore marked as “trusted”. This is similar in concept to a Github Application being trusted since you installed it and gave it specific permissions.
Jenkins does this with “shared libraries” where normal Jenkinsfiles run in a sandboxed environment and the libraries are in a trusted context and are not limited by the sandbox.
Trusted actions could access secrets. The execution of these actions could not be altered by PRs from forks, but the base repo could still enforce checks and have integrations with 3rd party services like Cypress dashboard, Codecov, etc.
Would this be an okay compromise? If Codecov or Cypress created an action that defined secrets it needed access to, we’d opt into trusting those actions and giving them access to certain secrets. That access shouldn’t matter if the PR is from the base repo or from a fork.
- uses: cypress-io/cypress-run-action@v1
All execution is in the action with an opt-in for key sharing. If the action is only run against the base branch, compromise is limited to someone gaining malicious access to the action - mitigated by version locks (although tags could be compromised as well). Orgs could further limit compromise by only using their own actions (this example is simply a wrapper around
npm run cypress:run -- --record --key=$CYPRESS_RECORD_KEY inside its own docker container with the current workspace mounted.