Check run permissions for build artifact generation secrets usage (#11897)

2025-12-16 00:03:56 +00:00 · 2024-11-07 13:01:54 -05:00
parent b42741f313
commit db40f20160
4 changed files with 105 additions and 31 deletions
--- a/.github/workflows/build-browser.yml
+++ b/.github/workflows/build-browser.yml
@@ -1,7 +1,8 @@
 name: Build Browser
 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
      - 'cf-pages'
@@ -33,6 +34,10 @@ defaults:
    shell: bash
 jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
  setup:
    name: Setup
    runs-on: ubuntu-22.04
@@ -41,8 +46,10 @@ jobs:
      adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Get Package Version
        id: gen_vars
@@ -71,8 +78,10 @@ jobs:
      run:
        working-directory: apps/browser
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Testing locales - extName length
        run: |
@@ -109,8 +118,10 @@ jobs:
      _BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }}
      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -225,12 +236,15 @@ jobs:
    needs:
      - setup
      - locales-test
      - check-run
    env:
      _BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }}
      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -342,8 +356,10 @@ jobs:
      - build
      - build-safari
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Login to Azure
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -1,7 +1,8 @@
 name: Build CLI
 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
      - 'cf-pages'
@@ -34,6 +35,10 @@ defaults:
    working-directory: apps/cli
 jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
  setup:
    name: Setup
    runs-on: ubuntu-22.04
@@ -41,8 +46,10 @@ jobs:
      package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Get Package Version
        id: retrieve-package-version
@@ -58,7 +65,6 @@ jobs:
          NODE_VERSION=${NODE_NVMRC/v/''}
          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
  cli:
    name: "${{ matrix.os.base }} - ${{ matrix.license_type.readable }}"
    strategy:
@@ -82,8 +88,10 @@ jobs:
      _WIN_PKG_FETCH_VERSION: 20.11.1
      _WIN_PKG_VERSION: 3.5
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Setup Unix Vars
        run: |
@@ -160,8 +168,10 @@ jobs:
      _WIN_PKG_FETCH_VERSION: 20.11.1
      _WIN_PKG_VERSION: 3.5
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Setup Windows builder
        run: |
@@ -310,8 +320,10 @@ jobs:
    env:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Print environment
        run: |
@@ -386,6 +398,7 @@ jobs:
      - cli
      - cli-windows
      - snap
      - check-run
    steps:
      - name: Check if any job failed
        working-directory: ${{ github.workspace }}
--- a/.github/workflows/build-desktop.yml
+++ b/.github/workflows/build-desktop.yml
@@ -1,7 +1,8 @@
 name: Build Desktop
 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
      - 'cf-pages'
@@ -32,12 +33,18 @@ defaults:
    shell: bash
 jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
  electron-verify:
    name: Verify Electron Version
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Verify
        run: |
@@ -65,8 +72,10 @@ jobs:
      run:
        working-directory: apps/desktop
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Get Package Version
        id: retrieve-version
@@ -138,8 +147,10 @@ jobs:
      run:
        working-directory: apps/desktop
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -238,7 +249,9 @@ jobs:
  windows:
    name: Windows Build
    runs-on: windows-2022
-    needs: setup
+    needs:
      - setup
      - check-run
    defaults:
      run:
        shell: pwsh
@@ -248,8 +261,10 @@ jobs:
      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
      NODE_OPTIONS: --max_old_space_size=4096
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -447,7 +462,9 @@ jobs:
  macos-build:
    name: MacOS Build
    runs-on: macos-13
-    needs: setup
+    needs:
      - setup
      - check-run
    env:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
@@ -456,8 +473,10 @@ jobs:
      run:
        working-directory: apps/desktop
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -622,8 +641,10 @@ jobs:
      run:
        working-directory: apps/desktop
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -841,8 +862,10 @@ jobs:
      run:
        working-directory: apps/desktop
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -1088,8 +1111,10 @@ jobs:
      run:
        working-directory: apps/desktop
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -1279,8 +1304,10 @@ jobs:
      - macos-package-mas
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Login to Azure
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -1,7 +1,8 @@
 name: Build Web
 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
      - 'cf-pages'
@@ -36,6 +37,10 @@ env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io
 jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
  setup:
    name: Setup
    runs-on: ubuntu-22.04
@@ -43,8 +48,10 @@ jobs:
      version: ${{ steps.version.outputs.value }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Get GitHub sha as version
        id: version
@@ -89,8 +96,10 @@ jobs:
            git_metadata: true
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Set up Node
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
@@ -142,6 +151,7 @@ jobs:
    needs:
      - setup
      - build-artifacts
      - check-run
    strategy:
      fail-fast: false
      matrix:
@@ -155,8 +165,10 @@ jobs:
    env:
      _VERSION: ${{ needs.setup.outputs.version }}
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Check Branch to Publish
        env:
@@ -250,11 +262,15 @@ jobs:
  crowdin-push:
    name: Crowdin Push
    if: github.ref == 'refs/heads/main'
-    needs: build-artifacts
+    needs:
      - build-artifacts
      - check-run
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout repo
+      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{  github.event.pull_request.head.sha }}
      - name: Login to Azure
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -284,7 +300,9 @@ jobs:
    name: Trigger web vault deploy
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-22.04
-    needs: build-artifacts
+    needs:
      - build-artifacts
      - check-run
    steps:
      - name: Login to Azure - CI Subscription
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0