Skip to content

🛠️ Build Dependabot updates #298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 15, 2025
Merged

🛠️ Build Dependabot updates #298

merged 6 commits into from
Aug 15, 2025

Conversation

@landongrindheim
Copy link
Member

@landongrindheim landongrindheim commented Aug 7, 2025

All of our TypeScript builds have failed in this project because we check to see if the dist/ directory matches what is in the pull request. Dependabot will open a pull request with changes to the manifest/lock files, but it won't build the dependencies. By building them and committing, we should be able to pass the check we're enforcing.

Note: I'm using [dependabot skip] in the commit message as it will allow Dependabot to rebase/recreate changes. Without that, the PR will be left open (and new changes will not be proposed).

@landongrindheim
Build Dependabot updates
f4fbd44 
All of our TypeScript builds have failed in this project because we
check to see if the `dist/` directory matches what is in the pull
request. Dependabot will open a pull request with changes to the
manifest/lock files, but it won't build the dependencies. By building
them and committing, we should be able to pass the check we're
enforcing.

Note: I'm using `[dependabot skip]` in the commit message as it will
allow Dependabot to rebase/recreate changes. Without that, the PR will
be left open (and new changes will not be proposed).
@segiddins
Copy link
Contributor

segiddins commented Aug 13, 2025

The issue here is that it runs arbitrary, unreviewed code in a trusted context (with GH tokens that have escalated permissions). For this to be safe, it needs to be split into multiple jobs. Anything running arbitrary code needs to have restricted permissions (e.g. no write), and that job can save the updated output as an artifact that a dependent job can download and then push, so long as the dependent job doesn't execute any code from the dependencies in the updated package.json

@landongrindheim
Split build/commit stages to prevent exfiltration
7de5cc1 
The commit stage requires access to GITHUB_TOKEN, which has  elevated
permissions. `npm run build` has the potential to run scripts that
execute arbitrary code, so we need to ensure that step does not have
access to GITHUB_TOKEN.
@landongrindheim
Specify exact build steps
de936db 
`npm run all` ran tests and linting. That behavior is fine, but a
failure in this step due to those concerns would be misleading.
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 14, 2025
View reviewed changes
@landongrindheim
Copy link
Member Author

landongrindheim commented Aug 14, 2025

@segiddins Can you take another look? I've split the workflows to guard ensure GITHUB_TOKEN isn't available when running npm scripts, and updated the actor check to prevent spoofing.

segiddins
segiddins approved these changes Aug 14, 2025
View reviewed changes
@landongrindheim @segiddins
Match on the exact label value from an array
afda717 
Co-authored-by: Samuel Giddins <segiddins@segiddins.me>
@landongrindheim
Copy link
Member Author

landongrindheim commented Aug 15, 2025

@segiddins @colby-swandale I don't have merge rights in this repo. Could one of you take care of that? 🙇

@segiddins segiddins merged commit 651f998 into rubygems:main Aug 15, 2025
9 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@colby-swandale colby-swandale colby-swandale approved these changes

+1 more reviewer

@segiddins segiddins segiddins approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@landongrindheim @segiddins @colby-swandale