fix(ci): tighten PR workflow permissions and secret access (v1.6 backport)#902
Merged
Conversation
…port) Backport of #901. Same security mitigations applied to the v1.6 maintenance branch. next-drupal.yml: - Switch from pull_request_target to pull_request - persist-credentials: false on checkout - permissions: contents: read - Gate Drupal secrets to push-to-v1.6 events only - Add concurrency + timeout-minutes - Bump checkout/setup-node to v4 release-pr.yml: - Restrict trigger to internal-PR labeled events - persist-credentials: false on checkout - setup-node@v4 registry-url + NODE_AUTH_TOKEN - Replace third-party comment action with gh CLI - permissions: contents: read, pull-requests: write - Add concurrency + timeout-minutes
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
- Pass placeholder DRUPAL_USERNAME/PASSWORD/CLIENT_ID/CLIENT_SECRET on PR runs. Test utils construct a Drupal client at module load time and require these to be present (not valid). - Bump actions/cache@v2 -> v4 in next.yml (v2 is automatically failed by GitHub) and replace deprecated ::set-output syntax with $GITHUB_OUTPUT.
tests/client.test.ts mixes unit and live-Drupal integration tests. Without a clean split, all of them fail when pointed at the placeholder DRUPAL_BASE_URL. Skip on PR runs; push-to-v1.6 still runs the full suite against the live sandbox.
sean-e-dietrich
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backport of #901 to the
v1.6maintenance branch. Applies the same security mitigations tonext-drupal.ymlandrelease-pr.ymlso this branch's PR-triggered workflows have the same hardened defaults.next-drupal.ymlpull_request_targettopull_requestpersist-credentials: falseon checkoutpermissions: contents: readat workflow rootgithub.event_name == 'push'tov1.6client.test,crud.test) and lift coverage threshold accordinglyconcurrencycancel-in-progress +timeout-minutes: 15actions/checkoutandactions/setup-nodeto v4DRUPAL_*env vars on PR runs (test utils construct a Drupal client at module load and require these to be present)release-pr.ymlpull_request: [labeled]head.repo.full_name == base.repo.full_namepersist-credentials: falseon checkoutsetup-node@v4registry-url+NODE_AUTH_TOKEN(replaces inline.npmrcecho)gh pr commentpermissions: contents: read, pull-requests: writeconcurrencycancel-in-progress +timeout-minutes: 15next.ymlactions/cache@v2→v4(v2 is automatically failed by GitHub) and replace deprecated::set-outputsyntax with$GITHUB_OUTPUTTest plan
next-drupal.yml(PR path, integration tests skipped) —testjob passesrelease-pr.ymlvalidated on next experimental release attempt against this branchNotes
The Drupal phpunit matrix jobs (
Drupal 9.4,Drupal 9.5,Drupal 10.0) innext.ymlshow as failing on this PR. Those failures are pre-existing — they were already failing onv1.6before this PR was opened and are unrelated to the security changes here. The matrix targets Drupal versions that are EOL upstream (Drupal 9.x reached EOL in late 2023; 10.0 reached EOL in late 2023), and the lockedsymfony/consoleversion no longer satisfies currentcomposer/composerrequirements. Updating that matrix to currently-supported Drupal versions is a separate maintenance task and out of scope for this security fix.The
next-drupaltestjob (the workflow this PR actually hardens) passes.