orb(reactotron): ci: add scripts for trusting PRs from forks to allow…

… CI to run (#1512) ## Please verify the following: - [x] yarn run v1.22.22 info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command. passes - [x] I have added tests for any new features, if relevant - [x] (or relevant documentation) has been updated with your changes ## Describe your PR ### Summary * adds the script and related docs. to the local repo * CircleCI Changes: * add the trust-check step, to ensure CI doesn't run on untrusted forks * Adds github workflows to: * push PR changes to a trusted branch then clean up automatically after 2h * delete all temp trusted branches with matching branch names ### Notes: * Based on [this article](https://circleci.com/blog/triggering-trusted-ci-jobs-on-untrusted-forks/), this config prevents the build-docs action from running on untrusted forks. * CI will check if a branch is trusted before running CI * Once a branch is trusted, then CI will run * The github workflow to create a temp branch will automatically clean up the branch after a couple hours, and a separate action is provided to manually delete all temp branches in case any get left behind. * the script will need to be cleaned up manually for now -- can maybe automate that with a cron job in github workflows --------- Co-authored-by: Joshua Yoes <[email protected]> (b5fbdb655915d52c383fce026b59379eb43584c7)
infinitered · Oct 28, 2024 · 7455161 · 7455161
1 parent 1a7247d
commit 7455161
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 0 deletions.
diff --git a/docs/reactotron/contributing/ci.md b/docs/reactotron/contributing/ci.md
@@ -0,0 +1,46 @@
+---
+name: Running Tests on Untrusted Forks
+sidebar_position: 99
+---
+
+# Running CI Scripts on Untrusted Forks
+
+Untrusted forks could contain malicious code to mine cryptocurrency, steal secrets, or otherwise harm the CI server.
+
+For PRs from untrusted forks, to run the CI scripts, we need to:
+
+1. Review the code to ensure that it is safe to run on the CI server.
+2. If the code is safe, run the `ci:trust` script to push the commits to a branch on the main repository, where the CI scripts can be run.
+3. Once the tests have run, the status of the PR will be updated automatically (because the commits are the same).
+
+## How to run the CI scripts on untrusted forks:
+
+1. Copy the name of the branch from the PR.
+   <img src="./images/ci-copy-fork-branch.png" alt="ci-copy-fork-branch" width="400"/>
+2. From your local clone of the main repository, run the `ci:trust` script.
+    ```bash
+    yarn ci:trust <branch-name>
+    ```
+3. The branch will be pushed and the tests will run
+   <img src="./images/ci-tests-running.png" alt="ci-tests-running" width="400"/>
+
+## What does ci:trust do?
+
+The `ci:trust` script does the following:
+
+1. Adds and fetches the untrusted fork as a temporary remote in your local repository.
+2. Pushes the specific branch from the untrusted fork to a designated temporary branch in your original repository.
+3. Pushing to a local branch triggers the continuous integration (CI) tests on the commits of the branch.
+4. Because the commits are the same, the status of the PR will be updated automatically.
+
+### Notes
+
+1. The ci:trust script will only work if you have write access to the main repository. This prevents malicious users from running the script on the main repository.
+2. The ci:trust script pushes the commits to a branch called `temp-ci-trusted-fork`.
+
+::: warning
+
+The `temp-ci-trusted-fork` branch will be deleted and recreated if it already exists. This allows the script to
+clean up its own temporary branches.
+
+:::
diff --git a/docs/reactotron/contributing/images/ci-copy-fork-branch.png b/docs/reactotron/contributing/images/ci-copy-fork-branch.png
diff --git a/docs/reactotron/contributing/images/ci-tests-running.png b/docs/reactotron/contributing/images/ci-tests-running.png