Workflows Trust Split

[jammont]

After getting the results feature to work, I've come to realize some flaws in the implementation:

• build.yml was changed to on: pull_request_target, which essentially means the workflow was moved from untrusted space (PR owner) to trusted space (isofit repo)
  • Benefits
    • Enables access to repo secrets
    • Cache is built a shared by all PRs easier (unexpected side effect but is actually somewhat nice)
  • Consequences:
    • Workflows cannot be modified by PRs. Only once merged into dev will changes to a workflow occur
    • Security vulnerability: malicious actors could execute code that would have write access to the isofit test results repo. Not a big concern, but it's there
• The generated results are serial and won't scale well if we want to explore multiple kinds of generated results

So, this PR is an effort to refactor the workflow architecture to address these issues:

• Split untrusted actions from trusted
  • Only publishing results to the tests repo and commenting back to the source PR are needed to be in trusted space. As such, I've moved these actions to their own workflow. This comes with the same pros/cons as above, but without the security vulnerability as we're no longer executing PR code within it
  • Everything else is untrusted (checking out PR code, executing it, generating results, etc)
    • Re-enables us to edit the majority of the workflows using a PR
    • Allows for adding new result generations without needing the merge first (which makes it way easier to create new results)

Unfortunately, due to the way our workflows are presently implemented, this PR needs to be merged before it can be tested.

[rebuild-cache]

[github-actions]

📊 Generated results:

URL: isofit/isofit-test-results#11
SHA: 07a6f39