You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
And enforcing code review before runner execution appears to require the use of environment:. If that is the case then it too be removed from a workflow with a PR, thus bypassing those checks.
Locking a runner to master/main makes PR's fall back to manual testing, as it will only be run once the code hits the "live code base".
Proposed solution
Github supports and allows external workflows, which can be restricted in repository settings (meaning, it's outside of user input control):
By creating a workflow there, we can lock master and the repo in its entirety. And we can then call that runner:
In this "external workflow", we can check immutable values:
"$GITHUB_WORKFLOW_REF" == "archlinux/archinstall/.github/workflows/iso-build.yaml@refs/heads/master" ensures that the branch calling the external workflow is master
"$GITHUB_REPOSITORY" == "archlinux/archinstall" ensures the caller comes from a trusted source (mostly here for readability of what's going on)
"${{ secrets.CALLTOKEN }}" == "$LOCALRUNNER" ensures the secret stored in the calling repo matches that of the local self-hosted runner's environment value.
Running the self-hosted runner with:
LOCALRUNNER="cowbellsandwhistles" ./run.sh
Allows us to lock a secret/access token on both ends as a final security measure.
Remaining issue
Prohibit PR's from adding actions that target self-hosted:
jobs:
access-check:
runs-on: self-hosted
As it will immediately start the job without requiring approval: evil-job.yaml
Conclusion
There's currently no way in GitHub self-hosted runners to prohibit execution of unknown workflows/code, without turning on "Require approval" for all runners.
The best thing would be:
Require approval for new or modified workflows
In that scenario, we could implement pretty neat runners with security checks in the runners themselves without worrying about evil changes to the runners. As it stands, runners are susceptible to changes that can auto-run (unless require approval is turned on). Unless I missed something basic in my testing.
Or, on the runners run.sh allow specifying which users are allowed to initiate runs, making runners individual with know trust. For instance by evaluating GITHUB_ envs.
ActionsBuild, test, and automate your deployment pipeline with world-class CI/CDProduct Feedback
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Select Topic Area
Product Feedback
Body
I'd like to propose a small change to drastically improve self-hosted runners and their permissions/workflow.
Short version:
Here's a walkthrough of the reasoning:
Self-hosted GitHub runner scenario
The premise is to enable:
qemu
on a GitHub runnerThe goal is to provide easy barrier-to-entry on contributions for both maintainers and contributee's on:
Ideas / example solutions
master
/main
branch from changes and only run workflow on those branchescodereview
on any.github/workflows/*.yaml
changes before runners executeAll of which are built-in to GitHub.
Downsides
Forcing "Require approvals" makes maintaining test consistency hard in the long run if contribution volume is high.
The following (on purpose) is what causes the most headaches:
Because if access control to the runner is performed in the GitHub workflow
.yaml
file, things like this is possible:And enforcing code review before runner execution appears to require the use of
environment:
. If that is the case then it too be removed from a workflow with a PR, thus bypassing those checks.Locking a runner to
master
/main
makes PR's fall back to manual testing, as it will only be run once the code hits the "live code base".Proposed solution
Github supports and allows external workflows, which can be restricted in repository settings (meaning, it's outside of user input control):
By creating a workflow there, we can lock
master
and the repo in its entirety. And we can then call that runner:Caller:
reusable workflow:
With security checks on the first step to legitimate caller:
In this "external workflow", we can check immutable values:
"$GITHUB_WORKFLOW_REF" == "archlinux/archinstall/.github/workflows/iso-build.yaml@refs/heads/master"
ensures that the branch calling the external workflow ismaster
"$GITHUB_REPOSITORY" == "archlinux/archinstall"
ensures the caller comes from a trusted source (mostly here for readability of what's going on)"${{ secrets.CALLTOKEN }}" == "$LOCALRUNNER"
ensures the secret stored in the calling repo matches that of the local self-hosted runner's environment value.Running the self-hosted runner with:
LOCALRUNNER="cowbellsandwhistles" ./run.sh
Allows us to lock a secret/access token on both ends as a final security measure.
Remaining issue
self-hosted
:Conclusion
There's currently no way in GitHub self-hosted runners to prohibit execution of unknown workflows/code, without turning on "Require approval" for all runners.
The best thing would be:
In that scenario, we could implement pretty neat runners with security checks in the runners themselves without worrying about evil changes to the runners. As it stands, runners are susceptible to changes that can auto-run (unless require approval is turned on). Unless I missed something basic in my testing.
Or, on the runners
run.sh
allow specifying which users are allowed to initiate runs, making runners individual with know trust. For instance by evaluatingGITHUB_
envs.Beta Was this translation helpful? Give feedback.
All reactions