Skip to content

Harden docs-preview deploy: isolate CLOUDFLARE_API_TOKEN from the PR-built toolchain #305

Description

@EricAndrechek

Summary

The docs preview deploy references CLOUDFLARE_API_TOKEN in a step that shares a job — and an npm-installed toolchain — with PR-authored build code. This should be hardened so the token is never reachable by code a contributor controls.

Current behavior (.github/workflows/ci.yml)

  • The single CI job runs make ci, which installs the PR's pnpm-lock.yaml and runs PR-authored build steps.
  • A later step in the same job runs pnpm exec wrangler versions upload with CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID to publish the PR preview.
  • Because wrangler resolves from the PR-installed node_modules, a malicious same-repo PR could tamper with the resolved toolchain so the token-bearing step exfiltrates the secret.

Scope / severity

  • Fork PRs are already safe: no secrets are exposed to fork runs, and the deploy steps are gated to same-repo events.
  • Exposure is limited to same-repo PRs, i.e. accounts with write/push (currently the two admins) → low severity today, but it should be fixed before write access is granted more broadly.

Proposed fix (lands with the CI re-architecture)

Move preview + production docs deploy into a dedicated docs-deploy job that:

  1. installs wrangler from trusted main (or a pinned version), not the PR tree;
  2. consumes only the static docs/dist artifact built by the upstream build job; and
  3. is the only place CLOUDFLARE_* is referenced (ideally scoped to a production Environment).

This removes PR-authored code from any job that can see the token.

Notes

Tracked separately so it isn't lost if the CI rework slips; the fix will most likely arrive as the docs-deploy extraction (Step 1 of the CI rework).

Metadata

Metadata

Assignees

Labels

area/infraCI, build, deploy, Docker, releaseenhancementNew feature or requestsecuritySecurity-sensitive issue or fix

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions