Skip to content

Harden manual store submission workflow#990

Open
PeterDaveHello wants to merge 1 commit into
masterfrom
codex/fix-manual-release-workflow-vulnerability
Open

Harden manual store submission workflow#990
PeterDaveHello wants to merge 1 commit into
masterfrom
codex/fix-manual-release-workflow-vulnerability

Conversation

@PeterDaveHello

@PeterDaveHello PeterDaveHello commented Jun 30, 2026

Copy link
Copy Markdown
Member

Motivation

Manual dispatches should validate release artifacts without exposing store credentials or entering the authenticated store submission path.

Description

  • Split .github/workflows/tagged-release.yml into a read-only manual_preflight job for workflow_dispatch and a push-only release job for v* tags.
  • Keep manual preflight runs free of store secrets, persisted checkout credentials, and workflow-level GH_TOKEN exposure.
  • Added release:submit:preflight and --preflight-only so manual runs validate required release artifacts and Firefox manifest metadata without invoking publish-extension.
  • Kept real Chrome, Firefox, and Edge store submission on the tag-push release path, where the real secrets.* values are injected.

Testing

  • git diff --check github/master...HEAD
  • workflow YAML parse check
  • node --import ./tests/setup/browser-shim.mjs --test tests/unit/release/submit-stores.test.mjs
  • npm run lint
  • npm test
  • npm run build
  • npm run release:firefox-sources
  • npm run release:submit:preflight without store secrets
  • GitHub Actions tests passed on this PR
  • CodeRabbit completed with no actionable comments

Codex Task

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Added a dedicated “preflight” mode for store submissions (release:submit:preflight), with optional --preflight-only behavior to validate release readiness without publishing.
  • Bug Fixes

    • Improved store submission reliability by splitting manual preflight from tag-triggered releases.
    • Updated token handling and GitHub release step configuration for smoother credential use.
    • Enhanced validation and error handling for Firefox release metadata during submission flows.
  • Tests

    • Expanded unit test coverage for preflight vs dry-run vs submit scenarios and failure cases.
  • Chores

    • Refined release workflow steps to better match intended run modes.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR splits tagged-release into manual preflight and tag-push release paths, adds a preflight-only store submission script entry, extends store submission parsing and dependency injection, and updates unit tests for the new execution modes.

Changes

Tagged release flow split

Layer / File(s) Summary
Workflow split and release token scoping
.github/workflows/tagged-release.yml, package.json
The workflow now uses separate manual preflight and tag-push jobs, and adds a release:submit:preflight npm script for the manual path. Step-local GH_TOKEN is used for GitHub CLI commands, and checkout credential settings differ by job.
Store submission preflight support
scripts/submit-stores.mjs
submitStores gains a preflight-only mode, injected dependencies, explicit Firefox manifest validation, environment-controlled publish execution, and early return behavior for preflight runs.
Submit-stores test coverage
tests/unit/release/submit-stores.test.mjs
The unit tests cover the new flag parsing, preflight-only behavior, dry-run precedence, manifest error cases, missing secrets, and the success path for publishing plus metadata updates.

Sequence Diagram(s)

sequenceDiagram
  participant GitHubActions
  participant npm
  participant submitStores

  GitHubActions->>npm: workflow_dispatch on manual_preflight
  npm->>submitStores: npm run release:submit:preflight
  GitHubActions->>npm: push tag v*
  npm->>submitStores: npm run release:submit
Loading

Estimated code review effort: 4 (Complex) | ~45 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: hardening the manual store submission workflow and reducing secret exposure.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-manual-release-workflow-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@qodo-code-review

Copy link
Copy Markdown
Contributor

PR Summary by Qodo

Harden tagged-release workflow to prevent secret exposure on manual dispatch

🐞 Bug fix ⚙️ Configuration changes 🕐 10-20 Minutes

Grey Divider

AI Description

• Scope GH_TOKEN only to gh release steps executed on push-tag runs.
• Prevent workflow_dispatch checkouts from inheriting repository credentials.
• Split store submission into manual dry-run (dummy env only) vs push-only real submission
 (secrets).
Diagram

graph TD
A(("Workflow trigger")) --> B{{"Event type?"}}
B -->|"push v* tag"| C["Checkout (persist creds on push)"] --> D["Release steps (GH_TOKEN scoped)"] --> E["Submit stores (real secrets)"] --> F["Publish release (GH_TOKEN scoped)"]
B -->|"workflow_dispatch"| C --> G["Build + package"] --> H["Submit stores (dry-run, dummy env)"]
subgraph Legend
direction LR
_start(("Trigger")) ~~~ _decision{{"Decision"}} ~~~ _step["Step"]
end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Split into two workflows (release vs manual preflight)
  • ➕ Eliminates complex conditional logic in a single YAML
  • ➕ Makes secret-free manual workflow intent explicit
  • ➖ Some duplication of build/release steps across workflows
  • ➖ Requires keeping two workflows in sync
2. Force workflow_dispatch to run only from default branch ref
  • ➕ Further reduces attack surface by never executing untrusted refs for manual runs
  • ➕ Simplifies credential hardening requirements
  • ➖ Loses ability to validate release pipeline against branch-specific changes
3. Use GitHub Environments with required reviewers for store submission
  • ➕ Adds an approval gate even if a step is misconfigured in the future
  • ➕ Environment-scoped secrets limit accidental exposure
  • ➖ Operational overhead and slower releases
  • ➖ Requires additional repository configuration

Recommendation: The PR’s approach is a good minimal-scope hardening: it removes global token exposure, disables persisted checkout credentials for manual runs, and ensures manual store submission cannot access real secrets. Consider adding an Environment approval gate for the push-only store submission as a defense-in-depth follow-up.

Files changed (1) +33 / -13

Other (1) +33 / -13
tagged-release.ymlScope tokens and split store submission into push-only vs manual dry-run +33/-13

Scope tokens and split store submission into push-only vs manual dry-run

• Removes the global GH_TOKEN and injects it only on gh release steps that run on push-tag events. Updates checkout to avoid persisting repository credentials on workflow_dispatch. Splits store submission into a manual-only dry-run step using dummy env vars and a push-only real submission step using secrets.

.github/workflows/tagged-release.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a3d0e2303d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/tagged-release.yml Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the tagged-release GitHub Actions workflow to prevent credential exposure when collaborators manually trigger workflow_dispatch, while keeping real store submissions restricted to trusted tag-push runs.

Changes:

  • Removed the workflow-wide GH_TOKEN and instead injects GH_TOKEN only into the push-only gh release steps.
  • Prevents credential persistence during manual runs by setting actions/checkout persist-credentials to only persist on push.
  • Splits store submission into a manual-only dry-run step (with dummy store env vars and forced --dry-run) and a push-only real submission step (with secrets.*).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@qodo-code-review

Copy link
Copy Markdown
Contributor

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

Manual dispatches should validate release artifacts without invoking
publish-browser-extension's authenticated dry-run path.

Run workflow_dispatch as a read-only GitHub Actions preflight job with
no persisted checkout credentials. Keep real store submission on tag
pushes only. Cover artifact, manifest, and credential boundaries with
targeted tests.
@PeterDaveHello PeterDaveHello force-pushed the codex/fix-manual-release-workflow-vulnerability branch from a3d0e23 to c8380f7 Compare July 3, 2026 15:51

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

Comment thread scripts/submit-stores.mjs
Comment thread .github/workflows/tagged-release.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants