-
-
Notifications
You must be signed in to change notification settings - Fork 2
Security hardening: GitHub Actions workflows #124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,6 +16,9 @@ on: | |
| required: false | ||
| default: '10' | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -15,26 +15,28 @@ on: | |
| branches: [ main ] | ||
| workflow_dispatch: | ||
| inputs: | ||
| AZURE_CREDENTIALS: | ||
| description: "Service principal JSON for azure/login (optional; recommended via GitHub Secret)" | ||
| required: false | ||
| type: string | ||
| LOGIC_APP_URL: | ||
| description: "Logic App URL for optional notifications" | ||
| required: false | ||
| type: string | ||
|
|
||
| # Credentials must come exclusively from the AZURE_CREDENTIALS repository secret. | ||
| # Never pass service principal JSON as a workflow_dispatch input — it would be | ||
| # visible in the GitHub Actions UI and potentially captured in runner logs. | ||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| run-quantum: | ||
| runs-on: windows-latest | ||
| timeout-minutes: 30 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Azure Login | ||
| if: ${{ inputs.AZURE_CREDENTIALS != '' }} | ||
| if: ${{ secrets.AZURE_CREDENTIALS != '' }} | ||
| uses: azure/login@v2 | ||
| with: | ||
| creds: ${{ inputs.AZURE_CREDENTIALS }} | ||
| creds: ${{ secrets.AZURE_CREDENTIALS }} | ||
| - name: Run Orchestration | ||
|
Comment on lines
35
to
40
|
||
| shell: pwsh | ||
| run: | | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ifThis condition uses
secrets.AZURE_CREDENTIALSdirectly inif, which GitHub Actions does not support for conditionals (the docs require mapping the secret to an env var first and checking that env var). As written, the Azure Login step can be skipped even when the secret exists, so the subsequent orchestration script runs unauthenticated and fails against Azure resources.Useful? React with 👍 / 👎.