Pipelines not being able to use Eco CI token

[ArneTR]

At the moment when we get external PRs the secrects cannot be used.

However we store Eco CI API credentials and also Electricitymaps tokens in the secrets and want to track carbon emissions also for external PRs.

What I did:

• Moved pipelines to pull_request_target instead of pull_request
  • This helped with access to the secrets.
  • However now always main was checked out as github.ref was always main. This can be fixed, but ...
  • Now once given permissions to run Github actions the pipeline would ALWAYS run when a new push was done. this is a security issue. We would need that the pipeline runs only once and needs permissions for every new commit

Or we find another way to use the secrets ...

[ribalba]

So I time boxed this to 3 hours which I have now reached. There is a way to achieve this by using environments [0]. But this is very cumbersome. I can't find a solution how to do this "easily" without compromising security.

We could also use something like this https://github.com/marketplace/actions/manual-workflow-approval but I think this adds quite a lot of overhead.

[0] https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment#required-reviewers

[ArneTR]

Hmm, this action is sadly a security nightmare. Although we could pin it with a hash it uses an unpinned docker dependency that can be changed anytime.

Although it looks like a good solution I argue it is more like getting a lemon ...

sad to hear it is not possible atm. Will move this to a discussion so we keep the idea open