Skip to content

harden testing workflows (env-var policy + permissions + SHA-pin)#996

Merged
GuyEshdat merged 3 commits intomasterfrom
core-684-harden-testing-workflows
Apr 26, 2026
Merged

harden testing workflows (env-var policy + permissions + SHA-pin)#996
GuyEshdat merged 3 commits intomasterfrom
core-684-harden-testing-workflows

Conversation

@GuyEshdat
Copy link
Copy Markdown
Collaborator

@GuyEshdat GuyEshdat commented Apr 26, 2026
edited by coderabbitai Bot
Loading

Summary

Hardens the dbt warehouse-test and stale-schema-cleanup workflows.

  • Defense-in-depth: every ${{ }} expression inside run: blocks is now passed through env:. Applies to inputs, github context, matrix values, and ternary-style conditional values. None of these are externally exploitable today (matrix values are hardcoded; inputs are write-access-only via workflow_dispatch), but the env-var pattern is now consistent across the workflow surface area.
  • inputs.max-age-hours is fail-closed: validated against ^[0-9]+$ before reaching dbt run-operation.
  • SHA-pinned pmeier/pytest-results-action@v0.8.0 (this action runs in the job that has cloud DWH credentials in env).
  • Default-deny GITHUB_TOKEN: top-level permissions: {}, jobs declare the minimum they need (everything in this PR is contents: read).

Test plan

  • PR triggers pull_request (internal) and pull_request_target (fork) flows correctly.
  • Cloud and local warehouse tests still pass.
  • Cleanup workflow on schedule still drops stale schemas.
  • workflow_dispatch of cleanup with invalid max-age-hours (e.g. 24abc) fails at validation.

Made with Cursor

Summary by CodeRabbit

  • Chores
    • Hardened CI security by tightening token permissions across workflows.
    • Improved workflow reliability with input validation for age limits, safer path handling, and clearer environment-variable usage.
    • Simplified and standardized dependency/install and invocation steps for data-tooling to reduce flakiness.
    • Made test reporting and run configuration more consistent (includes target/version in outputs) and pinned reporting integration for stability.

@GuyEshdat
harden testing workflows
e2071b1 
- env-var-ize all ${{ }} expressions inside `run:` blocks across the
  test-warehouse, test-all-warehouses, test-all-warehouses-dbt-pre-releases,
  and cleanup-stale-schemas workflows
- validate inputs.max-age-hours (fail-closed on non-integer)
- SHA-pin pmeier/pytest-results-action@v0.8.0
- deny GITHUB_TOKEN by default, grant minimum per job

Made-with: Cursor
@linear
Copy link
Copy Markdown

linear Bot commented Apr 26, 2026

CORE-684 harden workflows for dbt-package

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 26, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d4b04dec-f780-4f00-861e-ebfa6b52a102

📥 Commits

Reviewing files that changed from the base of the PR and between 3fcd502 and c7638b8.

📒 Files selected for processing (1)
  • .github/workflows/test-warehouse.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/test-warehouse.yml
📝 Walkthrough

Walkthrough

Workflows were tightened with least-privilege permissions, job-level env vars were added, and dbt install/execution logic was refactored and made more robust across multiple GitHub Actions workflows.

Changes

Cohort / File(s) Summary
Permission hardening & fork-detection
.github/workflows/.../test-all-warehouses.yml		 Adds top-level permissions: {} and job-level permissions: contents: read where needed. Updates fork-detection job to run with no permissions, moves GitHub context lookups into job env, and quotes "$GITHUB_OUTPUT" writes.
Permission hardening & dbt refactor (cleanup)
.github/workflows/.../cleanup-stale-schemas.yml		 Sets workflow/job permissions, adds WAREHOUSE and MAX_AGE_HOURS env vars, validates max-age-hours as non-negative integer, refactors dbt adapter resolution into DBT_ADAPTER_PKG and single pip install, quotes symlink paths, and uses validated MAX_AGE_HOURS in the dbt run-operation invocation.
Permission hardening & dbt refactor (per-warehouse tests)
.github/workflows/.../test-warehouse.yml		 Adds top-level empty permissions and job-level contents: read; introduces job WAREHOUSE and DBT_VERSION env vars; consolidates dbt install via env-driven pins (DBT_CORE_PIN, DBT_ADAPTER_PKG, etc.), replaces adapter if/else with case "$WAREHOUSE", computes DBT_BIN per step, parameterizes pytest output names, and pins pytest-results action to a commit SHA.
Simple permission hardening (pre-releases)
.github/workflows/.../test-all-warehouses-dbt-pre-releases.yml		 Adds workflow-level permissions: {} and grants only contents: read to the delegated test job; no other functional changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Pipelines snug in tighter seams,
Env vars lined up like tidy dreams,
Adapters chosen, checks run neat,
Outputs quoted, symlinks meet,
I hop and hum — CI now fleet. 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the primary changes: hardening workflows through environment variable policy, permissions restrictions, and SHA pinning.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch core-684-harden-testing-workflows

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 26, 2026

👋 @GuyEshdat
Thank you for raising your pull request.
Please make sure to add tests and document all user-facing changes.
You can do this by editing the docs files in the elementary repository.

@GuyEshdat
review: address feedback on testing workflows
3fcd502 
- revert ${{ github.workspace }} / ${{ env.TESTS_DIR }} inside run: blocks
  (these are workflow-internal, not user input \u2014 no security value)
- drop the ELEMENTARY_EXTRA env var in favour of an inline case statement
- fix the drop-stale-schemas --args quoting (mixed-quote, no \\\" escapes)

Made-with: Cursor
@GuyEshdat GuyEshdat marked this pull request as ready for review April 26, 2026 13:40
@GuyEshdat GuyEshdat merged commit 9ad6411 into master Apr 26, 2026
17 of 27 checks passed
@GuyEshdat GuyEshdat deleted the core-684-harden-testing-workflows branch April 26, 2026 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ofek1weiss ofek1weiss ofek1weiss approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GuyEshdat @ofek1weiss