Switch to pull_request_target events to hide cypress secrets (#6716)

Co-authored-by: Andrew Chubatiuk <[email protected]> Co-authored-by: Justin Clift <[email protected]>
getredash · Jan 30, 2024 · b98b5f2 · b98b5f2
1 parent d245ff7
commit b98b5f2
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 17 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,16 +3,22 @@ on:
   push:
     branches:
       - master
-  pull_request:
+  pull_request_target:
+    branches:
+      - master
 env:
   NODE_VERSION: 16.20.1
 jobs:
   backend-lint:
     runs-on: ubuntu-22.04
     steps:
+      - if: github.event.pull_request.mergeable == 'false'
+        name: Exit if PR is not mergeable
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
       - uses: actions/setup-python@v4
         with:
           python-version: '3.8'
@@ -29,9 +35,13 @@ jobs:
       COMPOSE_DOCKER_CLI_BUILD: 1
       DOCKER_BUILDKIT: 1
     steps:
+      - if: github.event.pull_request.mergeable == 'false'
+        name: Exit if PR is not mergeable
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
       - name: Build Docker Images
         run: |
           set -x
@@ -65,9 +75,13 @@ jobs:
   frontend-lint:
     runs-on: ubuntu-22.04
     steps:
+      - if: github.event.pull_request.mergeable == 'false'
+        name: Exit if PR is not mergeable
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
@@ -88,9 +102,13 @@ jobs:
     runs-on: ubuntu-22.04
     needs: frontend-lint
     steps:
+      - if: github.event.pull_request.mergeable == 'false'
+        name: Exit if PR is not mergeable
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
@@ -111,15 +129,19 @@ jobs:
     env:
       COMPOSE_FILE: .ci/docker-compose.cypress.yml
       COMPOSE_PROJECT_NAME: cypress
-      PERCY_TOKEN_ENCODED: ZGRiY2ZmZDQ0OTdjMzM5ZWE0ZGQzNTZiOWNkMDRjOTk4Zjg0ZjMxMWRmMDZiM2RjOTYxNDZhOGExMjI4ZDE3MA==
-      CYPRESS_PROJECT_ID_ENCODED: OTI0Y2th
-      CYPRESS_RECORD_KEY_ENCODED: YzA1OTIxMTUtYTA1Yy00NzQ2LWEyMDMtZmZjMDgwZGI2ODgx
       CYPRESS_INSTALL_BINARY: 0
       PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: 1
+      PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }}
+      CYPRESS_PROJECT_ID: ${{ secrets.CYPRESS_PROJECT_ID }}
+      CYPRESS_RECORD_KEY: ${{ secrets.CYPRESS_RECORD_KEY }}
     steps:
+      - if: github.event.pull_request.mergeable == 'false'
+        name: Exit if PR is not mergeable
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}
@@ -183,9 +205,13 @@ jobs:
       - build-skip-check
     if: needs.build-skip-check.outputs.skip == 'false'
     steps:
+      - if: github.event.pull_request.mergeable == 'false'
+        name: Exit if PR is not mergeable
+        run: exit 1
       - uses: actions/checkout@v3
         with:
           fetch-depth: 1
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NODE_VERSION }}

diff --git a/client/cypress/cypress.js b/client/cypress/cypress.js
@@ -1,6 +1,5 @@
 /* eslint-disable import/no-extraneous-dependencies, no-console */
 const { find } = require("lodash");
-const atob = require("atob");
 const { execSync } = require("child_process");
 const { get, post } = require("request").defaults({ jar: true });
 const { seedData } = require("./seed-data");
@@ -60,23 +59,11 @@ function stopServer() {
 
 function runCypressCI() {
   const {
-    PERCY_TOKEN_ENCODED,
-    CYPRESS_PROJECT_ID_ENCODED,
-    CYPRESS_RECORD_KEY_ENCODED,
     GITHUB_REPOSITORY,
     CYPRESS_OPTIONS, // eslint-disable-line no-unused-vars
   } = process.env;
 
   if (GITHUB_REPOSITORY === "getredash/redash") {
-    if (PERCY_TOKEN_ENCODED) {
-      process.env.PERCY_TOKEN = atob(`${PERCY_TOKEN_ENCODED}`);
-    }
-    if (CYPRESS_PROJECT_ID_ENCODED) {
-      process.env.CYPRESS_PROJECT_ID = atob(`${CYPRESS_PROJECT_ID_ENCODED}`);
-    }
-    if (CYPRESS_RECORD_KEY_ENCODED) {
-      process.env.CYPRESS_RECORD_KEY = atob(`${CYPRESS_RECORD_KEY_ENCODED}`);
-    }
     process.env.CYPRESS_OPTIONS = "--record";
   }