security update

source secrets from steps memory rather than directly in a shell script and add security guide to generate a throwaway Clever Cloud user for GitHub action
CleverCloud · Jan 22, 2024 · a93fab5 · a93fab5
1 parent 9de1b55
commit a93fab5
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 18 deletions.
diff --git a/README.md b/README.md
@@ -61,23 +61,34 @@ Place this script in your repository in `.github/workflows/` and modify the foll
 - `CLEVER_SECRET` and `CLEVER_TOKEN`: find them in your `clever-tools.json` after installing the CLI (example path on Mac: `~/.config/clever-cloud/clever-tools.json`)
 - `ORGA_ID`: the organisation in which your app is created
 
-Generally speaking, forks won't have access to secrets [from any base repository](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflows-in-forked-repositories-1). This is a GitHub Action security measure and there isn't any way of overriding this using GitHub Actions. **Any pull request from a fork will therefore fail**, consider warning your contributors about this.
+For better security, we advise generating a specific `CLEVER_SECRET` and `CLEVER_TOKEN` for GitHub Actions. Follow these steps to do so:
+
+1. Create a new user with a new email adress on Clever Cloud
+2. Create a specific organization for deploying review apps
+3. From your terminal, run `clever logout` and `clever login` right after
+4. Log into the Console with your new user credetials
+5. Get the generated  `CLEVER_SECRET` and `CLEVER_TOKEN` and inject it into your repository secrets
+
+Repeat steps 1-3 and connect from your main account to set your personal tokens. Your GitHub Acction user's tokens won't be revoked and will be used only from GitHub.
 
 ## Inject App Secrets
 
 You can pass more secrets in your app by setting them in your GitHub repository and listing them in `env` and adding them like this : `<A_SECRET>: ${{ secrets.<A_SECRET> }}`.
 
-Then when injecting environment variables in `Set evironment variables` step, add `clever env set <A_SECRET> ${{env.<A_SECRET>}}`.
+Then when injecting environment variables in `Create and deploy app` step, add `clever env set <A_SECRET> "$<A_SECRET>"`.
+
+For better security, follow this syntax and store the secrets in-memory for each step, to avoid exploits and leaks, instead ouf sourcing them directly in a shell script.
 
 ### Example Script
 
 ```yaml
+step: Create and deploy app
 env:
   ...
   HUGO_VERSION: ${{ secrets.HUGO_VERSION }}
 
 ...
 - name: Set evironment variables
   run: |
-    clever env set HUGO_VERSION ${{env.HUGO_VERSION}}
+    clever env set HUGO_VERSION "$HUGO_VERSION
 ```
diff --git a/action.yml b/action.yml
@@ -1,7 +1,10 @@
 name: Clever Cloud Review App on Pull Requests
 
 description: Deploy, sync and delete review apps on Clever Cloud for every pull request targeting the `main` branch
-
+branding:
+  icon: upload-cloud
+  colore: red
+
 on:
   pull_request_target:
     types: [opened, closed, synchronize, reopened]
@@ -11,10 +14,6 @@ on:
 # List more secrets if needed, for example: HUGO_VERSION: ${{ secrets.HUGO_VERSION }}
 env:
   BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
-  CLEVER_SECRET: ${{ secrets.CLEVER_SECRET }}
-  CLEVER_TOKEN: ${{ secrets.CLEVER_TOKEN }}
-  ORGA_ID: ${{ secrets.ORGA_ID }}
-  HUGO_VERSION: ${{ secrets.HUGO_VERSION }}
 
 jobs:
   deploy:
@@ -43,26 +42,25 @@ jobs:
       - run: echo "🍏 This job's status is ${{ job.status }}."
       - name: install clever-tools
         run: npm install -g clever-tools
-      - name: Create app
+      - name: Create and deploy app
+        env:
+          CLEVER_SECRET: ${{ secrets.CLEVER_SECRET }}
+          CLEVER_TOKEN: ${{ secrets.CLEVER_TOKEN }}
+          ORGA_ID: ${{ secrets.ORGA_ID }}
       # Use "clever create" to deploy your app.
       # Replace <type>, <app-name> and <region>
         run: | 
-          clever create --type <type> <app-name>-${{ env.BRANCH_NAME }} --alias <app-name>-${{ env.BRANCH_NAME }} --region <region> --org ${{secrets.ORGA_ID}}
-      - name: Set evironment variables
+          clever create --type <type> <app-name>-${{ env.BRANCH_NAME }} --alias <app-name>-${{ env.BRANCH_NAME }} --region <region> --org "$ORGA_ID"
       # Set environment variable with "clever env set".
       # For example: clever env set CC_WEBROOT "/public"
       # Inject your secrets as well, for ex:
       #clever env set HUGO_VERSION ${{env.HUGO_VERSION}}
-        run: |
           clever env set <VARIABLE_NAME> "<variable_value>"
           clever domain add clever-doc-review-${{ env.BRANCH_NAME }}.cleverapps.io
-      - name: Set domain
       # Set review app domain with "clever domain add".
       # Replace <app-name>
-        run: |
           clever domain add <app-name>-${{ env.BRANCH_NAME }}.cleverapps.io
-      - name: Deploy
-        run: clever deploy
+          clever deploy
       # Post your domain in PR's discussion
       # Replace <app-name>
       - name: Comment PR
@@ -99,9 +97,13 @@ jobs:
       - name: install clever-tools
         run: npm install -g clever-tools
       - name: Link and update app
+        env:
+          CLEVER_SECRET: ${{ secrets.CLEVER_SECRET }}
+          CLEVER_TOKEN: ${{ secrets.CLEVER_TOKEN }}
+          ORGA_ID: ${{ secrets.ORGA_ID }}
       # Replace <app-name>
         run: | 
-          clever link -o ${{ env.ORGA_ID }} <app-name>-${{ env.BRANCH_NAME }}
+          clever link -o "$ORGA_ID" <app-name>-${{ env.BRANCH_NAME }}
           clever deploy
       - name: Comment PR
         uses: actions/github-script@v5
@@ -132,7 +134,7 @@ jobs:
       - name: Delete app
       # Replace <app-name>
         run: |
-          clever link -o ${{ env.ORGA_ID }} <app-name>-${{ env.BRANCH_NAME }}
+          clever link -o "$ORGA_ID" <app-name>-${{ env.BRANCH_NAME }}
           clever delete --alias <app-name>-${{ env.BRANCH_NAME }} --yes
       - name: Comment PR
         uses: actions/github-script@v5