New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Further steps for CI functions with GH actions #15608
Comments
For failing standard test see https://github.com/cgeo/cgeo/actions/runs/8693327234/job/23839868312?pr=15607 |
AFAICS the secrets are already stored in our repo key/secrests storage. |
The failing test above links to a PR in the c:geo repo for master against the source in a cloned repo (typically for a normal PR). |
mmh...thats indeed a pretty normal case. |
Might be a security feature. Otherwise developers might introduce malicious code to retrieve the secrets... Still problematic for our workflow. |
What I found at GH to the problem is: https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks. |
The relevant part out of it:
|
Yes this is our issue, a security issue. I did a small POC to test the expression required in such case
It allows:
The expression I came to:
We should add some well placed one to our workflows. |
(I didn't remembered I had set the action Does someone know if
|
That would give PR #15626 |
I am not sure if skipping part of tests is meaningful. From what I read here https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (not sure if outdated but sounds logical from security perspective) we could also make use of As this trigger allows to use secrets of the target repo we should be able to fully test the PRs. |
I will read the article soon. I agree we should have way to test incoming PRs. On PR #15625 was afraid you'll activate |
That part (label trigger) was not yet included as I did not (out of the box) know how to do this...but its mentioned in the article. |
Regarding:
Further reading: |
That brings me to the point, that I do not have any of the secrets. They have ever only been stored on the CI and in the hands of @mucek4 |
I didn't stored them. I will need to extract them from Jenkins again 😉🫣 |
IMHO they should not run in cloned repositories. The short cut-off method is to disable actions in your forks using the repository settings. |
@Lineflyer I've sent you a mail |
secrets added for dependabot ✔️ |
@Lineflyer please see PR #15631 to
|
@Lineflyer here is what I understood from the link you sent earlier (untested) Also note from the document Warning Note that this kind of label based verification is still prone to a race condition in which the attacker may push new changes after the workflow was approved (labeled), but has not started yet. (Heading to bed now) |
After merging PR #15529 the configuration needs some tuning.
(Feel free to extend the list)
The text was updated successfully, but these errors were encountered: