Commit 1932376

committed

Define Apple Developer Program "team ID" via repository variable

The macOS builds generated by the release workflows are notarized. The Apple Developer Program "team ID" associated with the signing certificate is provided to the notarization tool (which refers to it as the "App Store Connect provider"). Previously, this was defined via a GitHub Actions secret. That implies it is secret information. However, the team ID is public information that can be seen by anyone simply by looking at the notarized application (e.g., using the macOS "spctl" utility), so there is need to use a secret for purposes of protecting the information. The reason use of a secret was chosen for this purpose when the notarization system was originally developed was simply that the only alternative at that time was hardcoding the information in the workflow. Since the workflow is intended to be generally applicable even in 3rd party projects (including forks of Arduino projects), whereas the signing credentials are specific to Arduino, it is better to define them separately from the workflow so that it can be used without modification (though unfortunately some hardcoding of such information ended up being introduced to the workflows at at later time). Since that time, GitHub has introduced the repository variable feature, which is intended to configure repository-specific non-secret information. This is the appropriate mechanism for defining the team ID. Use of secrets to store non-secret information should be avoided as these have a higher maintenance burden. Likewise, ambiguity about what is truly secret makes it difficult to understand the attack surface of a project's infrastructure, resulting in a lack of focus on the true attack vectors.

1 parent 6caca78 commit 1932376Copy full SHA for 1932376

File tree

2 files changed

-2

lines changed

.github/workflows
- publish-go-nightly-task.yml
- release-go-task.yml

2 files changed

-2

lines changed

`‎.github/workflows/publish-go-nightly-task.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ jobs:`
`180`	`180`	`env:`
`181`	`181`	`AC_USERNAME: ${{ secrets.AC_USERNAME }}`
`182`	`182`	`AC_PASSWORD: ${{ secrets.AC_PASSWORD }}`
`183`		`- AC_PROVIDER: ${{ secrets.AC_PROVIDER }}`
	`183`	`+ AC_PROVIDER: ${{ vars.AC_PROVIDER }}`
`184`	`184`	`run: \|`
`185`	`185`	`go tool \`
`186`	`186`	`github.com/bearer/gon/cmd/gon "${{ env.GON_CONFIG_PATH }}"`

`‎.github/workflows/release-go-task.yml‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ jobs:`
`180`	`180`	`env:`
`181`	`181`	`AC_USERNAME: ${{ secrets.AC_USERNAME }}`
`182`	`182`	`AC_PASSWORD: ${{ secrets.AC_PASSWORD }}`
`183`		`- AC_PROVIDER: ${{ secrets.AC_PROVIDER }}`
	`183`	`+ AC_PROVIDER: ${{ vars.AC_PROVIDER }}`
`184`	`184`	`run: \|`
`185`	`185`	`go tool \`
`186`	`186`	`github.com/bearer/gon/cmd/gon "${{ env.GON_CONFIG_PATH }}"`

0 commit comments

Comments

(0)

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit 1932376

File tree

2 files changed

2 files changed

`‎.github/workflows/publish-go-nightly-task.yml‎`

`‎.github/workflows/release-go-task.yml‎`

0 commit comments