The only secret that is configured is the access key for browserstack.
The worst case of getting it extracted is that someone can run tests on
browserstack with our account. The snabbdombot user has no admin
privileges, so in that case we can just issue a new access key
When removing unnecessary dependencies, polyfills like core-js were
removed, as well as webpack which bundled the tests to es5. With this
commit, tests that need specific browser features are skipped if the
browser does not support them and the code is compiled to es5 by
karma-typescript
The environment was used to ensure that the browserstack access keys
are only available after approval, so a potentially malicious actor
can't modify the testing code and extract those secrets. This however
creates a lot of noise in the notifications of the maintainers and it
drastically reduces the feedback cycle for the contributor in case their
change causes an issue in one of the supported browsers. Additionally
the potential harm in extracting the access keys is pretty low. The
snabbdombot account has only user access, so it can't change
browserstack settings and it can only access the automate features. So
the only thing that can happen is that our PRs fail because some third
party is running browser tests and thus exhausting our 5 parallel tests
limit. In that case we can simply change the access key of the
snabbdombot account. For this reason, the secrets are now repository
secrets and the CI does not need an approval to run
iambumblehead
Jan van Brügge
Jan van Brügge
Shahar Or (mightyiam)