Harden manual store submission workflow#990
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
📝 WalkthroughWalkthroughThis PR splits tagged-release into manual preflight and tag-push release paths, adds a preflight-only store submission script entry, extends store submission parsing and dependency injection, and updates unit tests for the new execution modes. ChangesTagged release flow split
Sequence Diagram(s)sequenceDiagram
participant GitHubActions
participant npm
participant submitStores
GitHubActions->>npm: workflow_dispatch on manual_preflight
npm->>submitStores: npm run release:submit:preflight
GitHubActions->>npm: push tag v*
npm->>submitStores: npm run release:submit
Estimated code review effort: 4 (Complex) | ~45 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoHarden tagged-release workflow to prevent secret exposure on manual dispatch
AI Description
Diagram
High-Level Assessment
Files changed (1)
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a3d0e2303d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR hardens the tagged-release GitHub Actions workflow to prevent credential exposure when collaborators manually trigger workflow_dispatch, while keeping real store submissions restricted to trusted tag-push runs.
Changes:
- Removed the workflow-wide
GH_TOKENand instead injectsGH_TOKENonly into the push-onlygh releasesteps. - Prevents credential persistence during manual runs by setting
actions/checkoutpersist-credentialsto only persist onpush. - Splits store submission into a manual-only dry-run step (with dummy store env vars and forced
--dry-run) and a push-only real submission step (withsecrets.*).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Manual dispatches should validate release artifacts without invoking publish-browser-extension's authenticated dry-run path. Run workflow_dispatch as a read-only GitHub Actions preflight job with no persisted checkout credentials. Keep real store submission on tag pushes only. Cover artifact, manifest, and credential boundaries with targeted tests.
a3d0e23 to
c8380f7
Compare
Motivation
Manual dispatches should validate release artifacts without exposing store credentials or entering the authenticated store submission path.
Description
.github/workflows/tagged-release.ymlinto a read-onlymanual_preflightjob forworkflow_dispatchand a push-onlyreleasejob forv*tags.GH_TOKENexposure.release:submit:preflightand--preflight-onlyso manual runs validate required release artifacts and Firefox manifest metadata without invokingpublish-extension.secrets.*values are injected.Testing
git diff --check github/master...HEADnode --import ./tests/setup/browser-shim.mjs --test tests/unit/release/submit-stores.test.mjsnpm run lintnpm testnpm run buildnpm run release:firefox-sourcesnpm run release:submit:preflightwithout store secretstestspassed on this PRCodex Task
Summary by CodeRabbit
Summary by CodeRabbit
New Features
release:submit:preflight), with optional--preflight-onlybehavior to validate release readiness without publishing.Bug Fixes
Tests
Chores