Skip to content

fix(ci): remove workflow-level env block exposing secrets#1799

Merged
chilingling merged 2 commits intoopentiny:developfrom
hexqi:copilot/remove-security-risk-env-vars
Apr 1, 2026
Merged

fix(ci): remove workflow-level env block exposing secrets#1799
chilingling merged 2 commits intoopentiny:developfrom
hexqi:copilot/remove-security-risk-env-vars

Conversation

@hexqi
Copy link
Copy Markdown
Collaborator

@hexqi hexqi commented Apr 1, 2026
edited by coderabbitai bot
Loading

English | 简体中文

PR

PR Checklist

请检查您的 PR 是否满足以下要求:

  • commit message遵循我们的提交贡献指南
  • 添加了更改内容的测试用例(用于bugfix/功能)
  • 文档已添加/更新(用于bugfix/功能)
  • 是否构建了自己的设计器,经过了充分的自验证

PR 类型

这个PR的类型是?

  • 日常 bug 修复
  • 新特性支持
  • 代码风格优化
  • 重构
  • 构建优化
  • 测试用例
  • 文档更新
  • 分支合并
  • 其他改动(安全修复)

需求背景和解决方案

deploy-cdn.yml 的顶层 env: 块将华为云 AK/SK、Endpoint、Bucket 等敏感密钥提升为工作流级别的进程环境变量,使其暴露给所有 job 和 step,存在泄露风险。

变更内容:

  • 删除顶层 env: 块,消除四个 secret 的全局环境变量映射: 
    # 删除
env:
  HUAWEI_CLOUD_AK: ${{ secrets.HUAWEI_CLOUD_AK }}
  HUAWEI_CLOUD_SK: ${{ secrets.HUAWEI_CLOUD_SK }}
  HUAWEI_CLOUD_ENDPOINT: ${{ secrets.HUAWEI_CLOUD_ENDPOINT }}
  HUAWEI_CLOUD_BUCKET: ${{ secrets.HUAWEI_CLOUD_BUCKET }}
  • 替换 deploy-cdn job 中所有 ${{ env.HUAWEI_CLOUD_* }} 引用,改为直接引用 ${{ secrets.HUAWEI_CLOUD_* }},仅在 obsutil config 和上传命令处按需展开,不写入进程环境。

check-secrets job 原本已直接使用 secrets.*,无需改动。

修改前

AK/SK 作为工作流环境变量存在于所有 job 的进程环境中,任意 step(包括第三方 action)均可读取。

修改后

AK/SK 仅在 deploy-cdn job 的单一 step 中按需展开,GitHub Actions 自动 mask,不写入环境,缩小了泄露面。

此PR是否含有 breaking change?

Other information

N/A

Summary by CodeRabbit

  • Chores
    • Updated CDN deployment workflow to reference cloud storage credentials and configuration directly from secure secrets storage, streamlining the deployment process without affecting build or upload functionality.

@github-actions github-actions bot added bug Something isn't working ci labels Apr 1, 2026
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 1, 2026
edited
Loading

Walkthrough

The .github/workflows/deploy-cdn.yml workflow was updated to directly reference Huawei Cloud credentials and bucket configuration from GitHub secrets instead of job-level environment variables. The OBS upload step now sources all required configuration values (HUAWEI_CLOUD_AK, HUAWEI_CLOUD_SK, HUAWEI_CLOUD_ENDPOINT, HUAWEI_CLOUD_BUCKET) from secrets.* rather than env.*.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Configuration
.github/workflows/deploy-cdn.yml		 Removed Huawei Cloud credential and bucket environment variable declarations from workflow env block. Updated OBS upload step to reference credentials and bucket configuration directly from GitHub secrets instead of environment variables.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Secrets now rest where they belong,
No longer in env's open song,
From secrets.* they safely flow,
In GitHub's vault, they're tucked below!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check ✅ Passed The title accurately summarizes the main change: removing a workflow-level env block that exposed secrets in the CI configuration.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@hexqi hexqi changed the title fix: remove workflow-level env block exposing secrets fix(ci): remove workflow-level env block exposing secrets Apr 1, 2026
coderabbitai[bot]
coderabbitai bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/deploy-cdn.yml (1)

161-161: Masked bucket name may reduce log usefulness.

Since HUAWEI_CLOUD_BUCKET is now referenced via secrets.*, GitHub Actions will mask its value in logs (displaying ***). This makes the confirmation message less informative for debugging.

If the bucket name isn't considered sensitive (CDN bucket names are often publicly known), consider passing it through a job output or a non-secret variable for logging purposes while keeping AK/SK as direct secret references.

💡 Optional: Use a build job output for the bucket name in logs

If you want readable logs, one option is to have the check-secrets job output the bucket name (since it already validates it exists), then reference that output for logging:

- echo "Uploaded to: obs://${{ secrets.HUAWEI_CLOUD_BUCKET }}/${{ needs.build.outputs.obs-path }}"
+ echo "Uploaded to: obs://<bucket>/${{ needs.build.outputs.obs-path }}"

Or accept the masked output as-is since the CDN URL on line 162 already shows the full path.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/deploy-cdn.yml at line 161, The log echo uses the secret
HUAWEI_CLOUD_BUCKET (secrets.HUAWEI_CLOUD_BUCKET) which GitHub Actions will
mask; change the workflow so the readable bucket name comes from a non-secret
variable or a job output (e.g. set the bucket in the check-secrets job output or
a build job output and reference that output instead of
secrets.HUAWEI_CLOUD_BUCKET) and update the echo that prints "Uploaded to:
obs://${{ secrets.HUAWEI_CLOUD_BUCKET }}/${{ needs.build.outputs.obs-path }}" to
use the new non-secret/output variable while keeping AK/SK as secrets; ensure
the job that validates the bucket (check-secrets) or the build job exports the
bucket name as an output to be consumed here.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/deploy-cdn.yml:
- Line 161: The log echo uses the secret HUAWEI_CLOUD_BUCKET
(secrets.HUAWEI_CLOUD_BUCKET) which GitHub Actions will mask; change the
workflow so the readable bucket name comes from a non-secret variable or a job
output (e.g. set the bucket in the check-secrets job output or a build job
output and reference that output instead of secrets.HUAWEI_CLOUD_BUCKET) and
update the echo that prints "Uploaded to: obs://${{ secrets.HUAWEI_CLOUD_BUCKET
}}/${{ needs.build.outputs.obs-path }}" to use the new non-secret/output
variable while keeping AK/SK as secrets; ensure the job that validates the
bucket (check-secrets) or the build job exports the bucket name as an output to
be consumed here.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4394b012-13dd-4563-9594-48db5d30009c

📥 Commits

Reviewing files that changed from the base of the PR and between 21cb852 and bfffbfe.

📒 Files selected for processing (1)
  • .github/workflows/deploy-cdn.yml

@chilingling chilingling merged commit e80fb49 into opentiny:develop Apr 1, 2026
4 checks passed
@hexqi hexqi mentioned this pull request Apr 1, 2026
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@chilingling chilingling chilingling approved these changes

Assignees

No one assigned

Labels

bug Something isn't working ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hexqi @chilingling