ci: support fork PRs via environment-gated secrets [DX-1292]#3289
ci: support fork PRs via environment-gated secrets [DX-1292]#3289ethan ozelius (ethan-ozelius-contentful) wants to merge 1 commit into
Conversation
1f2fdad to
6f9ad54
Compare
Changelist by BitoThis pull request implements the following key changes.
|
Impact Analysis by BitoInteraction DiagramsequenceDiagram
participant Dev as Developer
participant GH as GitHub
participant MainWF as main.yaml<br/>🔄 Updated | ●●● High
participant ForkWF as fork-ci.yaml<br/>🟩 Added | ●●● High
participant Build as build.yaml
participant Check as check.yaml<br/>🔄 Updated | ●●○ Medium
participant E2E as test-e2e.yaml<br/>🔄 Updated | ●●○ Medium
participant Env as GitHub Environment
Note over MainWF, ForkWF: Fork PRs now use<br/>separate workflow path
Dev->>GH: Create Pull Request
alt [PR from fork repository]
GH->>ForkWF: Trigger fork-ci workflow
ForkWF->>Build: Call build job
Build-->>ForkWF: Build artifacts cached
ForkWF->>Check: Call check with environment=fork-ci
Check->>Env: Use fork-ci environment protection
Check-->>ForkWF: Tests complete
ForkWF->>E2E: Call e2e-tests with environment=fork-ci
E2E->>Env: Use fork-ci environment protection
E2E-->>ForkWF: E2E tests complete
else [PR from internal branch]
GH->>MainWF: Trigger main workflow
MainWF->>Build: Call build job
Build-->>MainWF: Build artifacts cached
MainWF->>Check: Call check (no environment)
Check-->>MainWF: Tests complete
MainWF->>E2E: Call e2e-tests (no environment)
E2E-->>MainWF: E2E tests complete
end
ForkWF-->>Dev: CI results posted
MainWF-->>Dev: CI results posted
This MR introduces a separate CI workflow for fork PRs (fork-ci.yaml) with environment protection, while modifying main.yaml to skip fork PRs. The check.yaml and test-e2e.yaml workflows now accept an optional environment input to support this segregation. This prevents untrusted fork code from accessing secrets in the default environment while still allowing CI validation. Cross-Repository Impact Analysis
Code Paths AnalyzedImpact: Flow: Direct Changes (Diff Files): Repository Impact: Cross-Repository Dependencies: Database/Caching Impact: API Contract Violations: Infrastructure Dependencies: Additional Insights: Testing RecommendationsFrontend Impact: Service Integration: Data Serialization: Privacy Compliance: Backward Compatibility: OAuth Functionality: Cross-Service Communication: Reliability Testing: Additional Insights: Analysis based on known dependency patterns and edges. Actual impact may vary. |
There was a problem hiding this comment.
Code Review Agent Run #8d9b5f
Actionable Suggestions - 3
-
.github/workflows/check.yaml - 1
- Missing required workflow input · Line 8-10
-
.github/workflows/fork-ci.yaml - 2
- CWE-345: Missing Secrets Propagation · Line 14-18
- CWE-345: Missing Secrets Propagation · Line 20-24
Filtered by Review Rules
Bito filtered these suggestions based on rules created automatically for your feedback. Manage rules.
-
.github/workflows/main.yaml - 1
- Missing required workflow input · Line 15-15
Review Details
-
Files reviewed - 4 · Commit Range:
6f9ad54..6f9ad54- .github/workflows/check.yaml
- .github/workflows/fork-ci.yaml
- .github/workflows/main.yaml
- .github/workflows/test-e2e.yaml
-
Files skipped - 0
-
Tools
- Whispers (Secret Scanner) - ✔︎ Successful
- Detect-secrets (Secret Scanner) - ✔︎ Successful
Bito Usage Guide
Commands
Type the following command in the pull request comment and save the comment.
-
/review- Manually triggers a full AI review. -
/pause- Pauses automatic reviews on this pull request. -
/resume- Resumes automatic reviews. -
/resolve- Marks all Bito-posted review comments as resolved. -
/abort- Cancels all in-progress reviews.
Refer to the documentation for additional commands.
Configuration
This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at jared.jolton@contentful.com.
Documentation & Help
| check: | ||
| needs: build | ||
| uses: ./.github/workflows/check.yaml | ||
| with: | ||
| environment: fork-ci |
There was a problem hiding this comment.
The check job calls ./.github/workflows/check.yaml which requires CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN and CLI_E2E_ORG_ID secrets (defined as required in check.yaml:12-15). Without secrets: inherit, these required secrets won't be passed, causing the workflow to fail at runtime. Compare with main.yaml:21 which correctly uses secrets: inherit. (CWE-345)
Code Review Run #8d9b5f
Should Bito avoid suggestions like this for future reviews? (Manage Rules)
- Yes, avoid them
| e2e-tests: | ||
| needs: [build, check] | ||
| uses: ./.github/workflows/test-e2e.yaml | ||
| with: | ||
| environment: fork-ci |
There was a problem hiding this comment.
The e2e-tests job calls ./.github/workflows/test-e2e.yaml which requires CONTENTFUL_INTEGRATION_TEST_CMA_TOKEN and CLI_E2E_ORG_ID secrets (defined as required in test-e2e.yaml:12-15). Without secrets: inherit, these required secrets won't be passed, causing the workflow to fail at runtime. Compare with main.yaml:26 which correctly uses secrets: inherit. (CWE-345)
Code Review Run #8d9b5f
Should Bito avoid suggestions like this for future reviews? (Manage Rules)
- Yes, avoid them
…Rs originating from forked repos Add a fork-ci workflow and GitHub environment so external contributors can open PRs from forks and have CI pass after a maintainer approves the environment deployment. - Add fork-ci.yaml that routes fork PRs through a `fork-ci` environment - Thread an `environment` input through check.yaml and test-e2e.yaml so jobs pick up environment secrets when set - Gate main.yaml's build job to skip for fork PRs to avoid double-runs Requires a `fork-ci` GitHub environment with required reviewers and the two secrets defined before this workflow is functional.
6f9ad54 to
3343d42
Compare
Code Review Agent Run #2b05a7Actionable Suggestions - 0Additional Suggestions - 1
Review Details
Bito Usage GuideCommands Type the following command in the pull request comment and save the comment.
Refer to the documentation for additional commands. Configuration This repository uses Documentation & Help |
|
| Source | Requirement / Code Area | Status | Notes |
|---|---|---|---|
| DX-1292 | Ensure CLI e2e tests properly inject environment variables when running for forked pull requests | ✅ Met | The PR implements environment variable injection for forked PRs by: (1) Creating a new .github/workflows/fork-ci.yaml workflow that detects forked PRs with `if: github.event.pull_request.head.repo.fork == true`, (2) Passing `environment: fork-ci` to the e2e-tests workflow via the `with` block, and (3) Adding `environment` input parameter and applying `environment: ${{ inputs.environment }}` to the e2e-tests job in .github/workflows/test-e2e.yaml. This ensures environment variables are properly injected when running e2e tests on pull requests from forks. |
Summary
fork-ci.yamlworkflow that runs for PRs opened from forks,routing
checkande2e-testsjobs through afork-ciGitHubenvironment so secrets are injected after maintainer approval
check.yamlandtest-e2e.yamlto accept an optionalenvironmentinput, removing the hardrequired: trueon secrets(they still resolve normally for internal PRs — the input defaults to
'')main.yamlto skip fork PRs so both workflows don't fire on thesame event
How it works
When an external contributor opens a fork PR,
fork-ci.yamltriggers.The
buildjob runs immediately. Thecheckande2e-testsjobs pauseat the
fork-cienvironment gate until a maintainer approves — at whichpoint
CONTENTFUL_INTEGRATION_TEST_CMA_TOKENandCLI_E2E_ORG_IDareinjected from environment secrets and the jobs proceed normally.
Internal PRs are unaffected —
main.yamlstill runs withsecrets: inherit.Pre-requisites (manual setup required before merging)
fork-cienvironment in repo Settings → EnvironmentsCONTENTFUL_INTEGRATION_TEST_CMA_TOKENandCLI_E2E_ORG_IDas secrets on that environment
this gate, fork code runs with live secrets unreviewed)
Test plan
fork-ciworkflow triggersand pauses at the environment gate
main.yamlonlySummary by Bito
This PR implements a secure fork PR CI pipeline for external contributors by introducing a new fork-ci.yaml workflow, updating existing reusable workflows to accept environment inputs, and gating main.yaml to prevent duplicate runs on fork PRs.
Detailed Changes