Tweak wording and secrets

Expensify · Dec 18, 2020 · 71d00f2 · 71d00f2
1 parent 2eac8ea
commit 71d00f2
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 6 deletions.
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -4,7 +4,9 @@
 1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
 1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
 1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.   
-1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash to prevent a modification of underlying source code at that version.
+1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
+    1. **Bad:** `hmarr/[email protected]` Relies on the tag
+    1. **Good:** `hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd` Explicit Git hash
 1. When creating secrets, use tightly scoped secrets that only allow access to that specific action's requirement
 1. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time.
 1. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo

diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -24,7 +24,7 @@ jobs:
               uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
-              if: github.event.label.name == 'automerge' && github.actor == 'botify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == ''
+              if: github.event.label.name == 'automerge' && github.actor == 'OSBotify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == ''
 
             - name: Check for an auto merge
               # Version: 0.12.0

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -16,7 +16,7 @@ jobs:
               uses: cla-assistant/github-action@5a4ef1e1a1f75bceafd9b12704f8a6da576bcf14
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  PERSONAL_ACCESS_TOKEN : ${{ secrets.BOTIFY_TOKEN }}
+                  PERSONAL_ACCESS_TOKEN : ${{ secrets.OS_BOTIFY_TOKEN }}
               with:
                   path-to-signatures: '${{ github.repository }}/cla.json'
                   path-to-document: 'https://github.com/${{ github.repository }}/blob/master/CLA.md'

diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -13,7 +13,7 @@ jobs:
             - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
               with:
                   fetch-depth: 0
-                  token: ${{ secrets.BOTIFY_TOKEN }}
+                  token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
             - name: Setup Node
               uses: actions/setup-node@v1
@@ -52,7 +52,7 @@ jobs:
                     source_branch: version-bump-${{ github.sha }}
                     destination_branch: "master"
                     pr_label: "automerge"
-                    github_token: ${{ secrets.BOTIFY_TOKEN }}
+                    github_token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
             # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all
             # the other workflows with the same change

diff --git a/README.md b/README.md
@@ -257,7 +257,7 @@ The GitHub workflows require a large list of secrets to deploy, notify and test
     3. `ios/chat_expensify_appstore.mobileprovision`
     4. `ios/Certificates.p12.gpg`
 2. `SLACK_WEBHOOK` - Sends Slack notifications via Slack WebHook https://expensify.slack.com/services/B01AX48D7MM
-3. `BOTIFY_TOKEN` - Personal access token for @Botify user in GitHub
+3. `OS_BOTIFY_TOKEN` - Personal access token for @OSBotify user in GitHub
 4. `CSC_LINK` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers
 5. `CSC_KEY_PASSWORD` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers
 6. `APPLE_ID` - Required for notarizing desktop code in `desktop/notarize.js`