fix: enhance encryption key validation and add trigger parity check for Codecov workflows

2026-02-17 00:58:44 +00:00
parent 2e84f88003
commit 557e08c783
5 changed files with 327 additions and 178 deletions
--- a/.github/workflows/codecov-upload.yml
+++ b/.github/workflows/codecov-upload.yml
@@ -50,11 +50,80 @@ jobs:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: backend/go.sum

+      # SECURITY: Keep pull_request (not pull_request_target) for secret-bearing backend tests.
+      # Untrusted code (fork PRs and Dependabot PRs) gets ephemeral workflow-only keys.
+      - name: Resolve encryption key for backend coverage
+        shell: bash
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          ACTOR: ${{ github.actor }}
+          REPO: ${{ github.repository }}
+          PR_HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          PR_HEAD_FORK: ${{ github.event.pull_request.head.repo.fork }}
+          WORKFLOW_SECRET_KEY: ${{ secrets.CHARON_ENCRYPTION_KEY_TEST }}
+        run: |
+          set -euo pipefail
+
+          is_same_repo_pr=false
+          if [[ "$EVENT_NAME" == "pull_request" && -n "${PR_HEAD_REPO:-}" && "$PR_HEAD_REPO" == "$REPO" ]]; then
+            is_same_repo_pr=true
+          fi
+
+          is_workflow_dispatch=false
+          if [[ "$EVENT_NAME" == "workflow_dispatch" ]]; then
+            is_workflow_dispatch=true
+          fi
+
+          is_dependabot_pr=false
+          if [[ "$EVENT_NAME" == "pull_request" && "$ACTOR" == "dependabot[bot]" ]]; then
+            is_dependabot_pr=true
+          fi
+
+          is_fork_pr=false
+          if [[ "$EVENT_NAME" == "pull_request" && "${PR_HEAD_FORK:-false}" == "true" ]]; then
+            is_fork_pr=true
+          fi
+
+          is_untrusted=false
+          if [[ "$is_fork_pr" == "true" || "$is_dependabot_pr" == "true" ]]; then
+            is_untrusted=true
+          fi
+
+          is_trusted=false
+          if [[ "$is_untrusted" == "false" && ( "$is_same_repo_pr" == "true" || "$is_workflow_dispatch" == "true" ) ]]; then
+            is_trusted=true
+          fi
+
+          resolved_key=""
+          if [[ "$is_trusted" == "true" ]]; then
+            if [[ -z "${WORKFLOW_SECRET_KEY:-}" ]]; then
+              echo "::error title=Missing required secret::Trusted backend CI context requires CHARON_ENCRYPTION_KEY_TEST. Add repository secret CHARON_ENCRYPTION_KEY_TEST."
+              exit 1
+            fi
+            resolved_key="$WORKFLOW_SECRET_KEY"
+          elif [[ "$is_untrusted" == "true" ]]; then
+            resolved_key="$(openssl rand -base64 32)"
+          else
+            echo "::error title=Unsupported event context::Unable to classify trust for backend key resolution (event=${EVENT_NAME})."
+            exit 1
+          fi
+
+          if [[ -z "$resolved_key" ]]; then
+            echo "::error title=Key resolution failure::Resolved encryption key is empty."
+            exit 1
+          fi
+
+          echo "::add-mask::$resolved_key"
+          {
+            echo "CHARON_ENCRYPTION_KEY<<__CHARON_EOF__"
+            echo "$resolved_key"
+            echo "__CHARON_EOF__"
+          } >> "$GITHUB_ENV"
+
      - name: Run Go tests with coverage
        working-directory: ${{ github.workspace }}
        env:
          CGO_ENABLED: 1
-          CHARON_ENCRYPTION_KEY: ${{ secrets.CHARON_ENCRYPTION_KEY_TEST }}
        run: |
          bash scripts/go-test-coverage.sh 2>&1 | tee backend/test-output.txt
          exit "${PIPESTATUS[0]}"