How to enable IPFS previews on PRs from forks #2
Comments
|
Potentially exposing our DNS token is not an option. We could separate out the DNS update process. Exposing out ipfs-cluster tokens is undesirable, but we could run a dedicated cluster instance for website deploys, and monitor if for suspicious upticks in storage use. Far from ideal, but then the IPFS gateways are already proxying huge volumes of unknown content, so possibly ok. Creating a GitHub app (see: https://probot.github.io/) that we could enable per repo would neat, but then we'd have to have a way to build and upload sites, which is the work that circle is currently doing. Its seems unwise to take of creating a generic site building pipeline, as if it's at all unrealiable, then the magic is lost. Github Actions might work, but it's currently awkward that we have to manage secrets for actions at the repo level rather than the org level. |
|
I've been thinking about this for a while and was the blocker to earlier website deployments via Circle. One option I thought of was if we were to pin the preview to the preloaders instead so no credentials required. We would then pin to the cluster on merges. The trick there is that preloaders will prob come GC the site before someone reviews but in that case the reviewer could just rebuild the preview for review? Not a perfect solution but something? |
Right now we have IPFS website previews on PRs that come from branchs but not those that come from forks.
This is becuase we we have secrets in our circle environment. The risk is we can't guarantee that any build wont be maliciously crafted to expose those secrets. The current implementation works because we trust that members of the github org will not do that. However PRs from forks can come from anyone, so circle is configured to not build PRs from forks.
But that sucks. We want to see IPFS previews on all PRs. What can we do?
See:
The text was updated successfully, but these errors were encountered: