Commit 8056186
authored
Remove validate-quick-start-module workflow and the create-issue step (#2081)
## Summary
Two cleanups to the quick start GitHub Actions workflows:
1. **Delete `validate-quick-start-module.yml`** — this validation
workflow is no longer needed here.
Validation is done here:
https://github.com/pytorch/test-infra/blob/main/.github/workflows/validate-binaries.yml
after every RC, before and after the Release
3. **Remove the "Create Issue if failed" step** from
`update-quick-start-module.yml`.
### Why remove the create-issue step
The step used `dacbd/create-issue-action@main` and passed it
`secrets.PYTORCHBOT_TOKEN`:
```yaml
- name: Create Issue if failed
uses: dacbd/create-issue-action@main
if: ${{ failure() }}
with:
token: ${{secrets.PYTORCHBOT_TOKEN}}
```
This is a supply-chain exposure:
- The action is pinned to a **mutable `@main` ref**, so any future (or
compromised) commit runs in our job.
- It receives a **long-lived broad PAT** (`PYTORCHBOT_TOKEN`), far more
privileged than opening an issue requires. A malicious version could
exfiltrate it; the `pytorchbot-env` environment gates *release* of the
secret but does not stop the third-party action from reading it once the
job runs.
Since the failure is already visible from the scheduled run's status,
the step isn't needed — removing it is the simplest fix and eliminates
the exposure. The `Create Pull Request` step is unchanged (it
legitimately needs a PAT so the PR triggers CI).
This PR was authored with the assistance of an AI coding assistant.1 parent 5598012 commit 8056186
2 files changed
Lines changed: 0 additions & 40 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
104 | 104 | | |
105 | 105 | | |
106 | 106 | | |
107 | | - | |
108 | | - | |
109 | | - | |
110 | | - | |
111 | | - | |
112 | | - | |
113 | | - | |
114 | | - | |
115 | | - | |
116 | 107 | | |
117 | 108 | | |
118 | 109 | | |
| |||
This file was deleted.
0 commit comments