This project implements a comprehensive security model that balances open contribution with credential protection. The security guards ensure that sensitive operations and credentials are only accessible to repository owners while allowing contributors to run comprehensive tests.
Security Level: Open to all contributors
if: github.repository == 'diverger/gh-oss-helper' || github.event_name == 'pull_request'- ✅ Runs on all pull requests from any contributor
- ✅ No secrets required
- ✅ Tests core functionality with mocks
Security Level: Open to all contributors
if: github.repository == 'diverger/gh-oss-helper' || github.event_name == 'pull_request'- ✅ Runs on all pull requests from any contributor
- ✅ Uses mocked OSS SDK for realistic testing
- ✅ No real credentials required
Security Level: Dual-tier security
if: github.repository == 'diverger/gh-oss-helper' || github.event_name == 'pull_request'- ✅ Runs on all pull requests from any contributor
- ✅ Tests action interface with mock credentials
- ✅ Validates
action.ymlcompliance
if: github.repository == 'diverger/gh-oss-helper' &&
github.actor == github.repository_owner &&
(github.event_name == 'push' || github.event_name == 'workflow_dispatch')- 🔒 Repository owner only
- 🔒 Only on push or manual dispatch (not PRs)
- 🔒 Requires real OSS credentials
Security Level: Open to all contributors
if: github.repository == 'diverger/gh-oss-helper' || github.event_name == 'pull_request'- ✅ Runs on all pull requests from any contributor
- ✅ No secrets required
Security Level: Conditional access
if: github.repository == 'diverger/gh-oss-helper'- 🔒 Repository-only (no fork execution)
- 🔐 Conditional secret access based on actor
⚠️ Warning notice for contributors about secret availability
Security Level: Repository owner only
if: github.repository == 'diverger/gh-oss-helper' &&
github.actor == github.repository_owner- 🔒 Repository owner only
- 🔒 Controls release process and sensitive operations
The real OSS test job uses environment variables for credentials:
with:
access-key: ${{ secrets.OSS_ACCESS_KEY_ID }}
secret-key: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
bucket: ${{ secrets.OSS_BUCKET }}
region: ${{ secrets.OSS_REGION }}This is secure because:
- GitHub Secrets Encryption: Secrets are encrypted at rest and in transit
- Access Control: Multiple security guards prevent unauthorized access
- No Log Exposure: GitHub automatically masks secrets in logs
- Scoped Access: Environment variables are only available to the specific action step
- Audit Trail: Clear conditions show when/why secrets are accessed
The workflow includes pre-checks to ensure all required secrets are configured before attempting real uploads.
Can Access:
- ✅ Unit tests with mocks
- ✅ Integration tests with mocked OSS SDK
- ✅ Action interface tests with mock credentials
- ✅ Build and packaging verification
Cannot Access:
- ❌ Real OSS credentials
- ❌ Live upload testing
- ❌ Release operations
Can Access:
- ✅ All contributor capabilities
- ✅ Real OSS credential testing
- ✅ Manual test execution
- ✅ Release operations
- ✅ All secrets and sensitive operations
- Principle of Least Privilege: Only repository owner can access secrets
- Defense in Depth: Multiple security conditions per workflow
- Separation of Concerns: Mock tests for PRs, real tests for owner
- Audit Trail: Clear conditions show when/why secrets are accessed
- Fail-Safe Defaults: Workflows fail closed if conditions aren't met
If you discover a security vulnerability, please report it by:
- Creating a private issue in this repository
- Emailing the repository owner directly
- Do not create public issues for security vulnerabilities
This security model is reviewed and updated as needed. Major changes to security guards or credential handling will be documented in release notes.