Comments (15)
Back on topic, is there any place to track the status of this security bug so I can know when a decision is made one way or another?
There is not, as we keep security vulnerabilities close to the vest until they're fully addressed. However, I had already added a note into our internal issue to post an update here once we proceed. ๐
from configure-pages.
Unfortunately, we needed to disable this functionality -- hopefully just temporarily ๐ค๐ป -- due to a security bug bounty. ๐ก๏ธ
We have a task in our backlog to investigate what it would take to reenable this. If we can't, we will cut a new major version bump of this Action to remove the enablement functionality.
from configure-pages.
Definitely off-topic. ๐ In the future, probably create a new discussion on the community forums: https://github.com/community/community/discussions
The Actions-provided GITHUB_TOKEN
is locked down a bit, so even with permissions: write-all
, it isn't going to give you anything beyond the allowed categories mentioned here:
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview
You'll notice there is no equivalent to the category you're wanting to modify, e.g. you're wanting something like administration: write|read|none
.
You could create your own GitHub App if you want to work with extra APIs like that, otherwise you can always use a Personal Access Token to act as a user instead of using GITHUB_TOKEN
. ๐คท๐ปโโ๏ธ
from configure-pages.
Thanks for the response, could you elaborate more on that? Is the security bug only with this action, or is it something larger? Because I'm also getting this error on github.rest.repos.update
and await github.rest.repos.replaceAllTopics
.
Is this documented or noted anywhere what systems are limited?
from configure-pages.
Is the security bug only with this action, or is it something larger?
The security bug was specifically about allowing GitHub Apps (including the Actions' GITHUB_TOKEN
) to create and delete Pages sites.
As for better understanding the permissions and limitations applied to GitHub Apps for accessing certain REST API resources, this documentation is probably your best bet:
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
In the Pages section of that page, you can see the REST API endpoints for creating and deleting Pages sites are currently omitted.
from configure-pages.
Thank you for the clarification. I'll keep an eye on this for enabling Pages automatically.
Could you comment on my other issue though? On that permissions page you linked, the "updating a repo" endpoint is still there:
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#administration
PATCH /repos/:owner/:repo
(write)
Which seems to be failing when run from an Action (which have write permissions enabled by default). Are you sure there's not some wider disabling going on here?
Sorry of this is off-topic, but I also don't know where I would even report/ask about something like this. It also seems like it might not be a coincidence and unexpectedly related to this issue.
from configure-pages.
Sorry for being off topic, I should've thought to post in the general discussions. I was very much misunderstanding the distinction between Actions permissions and the API as a whole. I've created a discussion here for anyone interested: community/community#40279
Back on topic, is there any place to track the status of this security bug so I can know when a decision is made one way or another?
from configure-pages.
โน๏ธ We were able to partially re-enable REST APIs to create and/or delete a Pages site, but ONLY for user-to-server tokens (e.g. Personal Access Tokens or OAuth tokens). As such, it still won't work with the GITHUB_TOKEN
provided by an Actions workflow/job run.
I'll update this Action soon to change the default behavior to NOT attempt to create/enable the Pages site if it's missing.
Update:
PR:
from configure-pages.
Apologies, slight clarification: you can now also use server-to-server App tokens again as well but ONLY if they have been granted both the administration:write
and pages:write
permissions for the relevant repository.
The GITHUB_TOKEN
provided by Actions is not capable of being granted administration:write
, so that will continue to be an invalid option.
from configure-pages.
Should y'all update https://github.com/actions/starter-workflows/blob/main/pages/static.yml to reflect this, seeing as its been ~2 months and this is still an issue?
Not totally clear what the proper way to set this up is at the moment, could y'all maybe provide an example .yml using a classic PAT, as well as which permissions the PAT needs?
from configure-pages.
I created a classic PAT with all permissions, set in as an env secret as PAGES_PAT
, and updated my yml to look like the following.
- name: Setup GitHub Pages
uses: actions/configure-pages@v3
# https://github.com/actions/configure-pages/issues/40
with:
token: ${{ secrets.PAGES_PAT }}
and I'm getting this as output
Warning: Get Pages site failed
Error: Create Pages site failed
Error: AxiosError: Request failed with status code 401
from configure-pages.
Is there a way this step can be skipped / removed?
https://github.com/actions/starter-workflows/blob/main/pages/jekyll.yml doesn't use this action. I take this back, it does, on line 41.
The question still stands, can I manually set up pages and then not need this step?
from configure-pages.
The question still stands, can I manually set up pages and then not need this step?
The short answer is yes, if you go to settings -> pages and change the source drop-down to GitHub actions, this step will pass without needing a custom token / extra changes.
from configure-pages.
@acdoussan Part of what you described was actually a bug that I introduced with enablement in the v3
version of this Action. My apologies, and thanks for pointing it out! ๐๐ป
See #50, v3.0.1
, and the latest v3
tag for the fix that will prevent the Action from trying to enable the Pages site (and literally always failing) by default if it doesn't already exist.
from configure-pages.
All good, glad it's fixed! Hopefully, the manual step helps anyone else who comes stumbling along ๐.
from configure-pages.
Related Issues (20)
- Supported configuration file extension check does not use the per-generator default HOT 6
- Set `$BASE_URL` or similar env var for subsequent steps HOT 2
- Doesn't recognize next.config.mjs HOT 6
- Default configuration for next js needs to be updated HOT 2
- Major v5 HOT 4
- ุฃูุง ุฃุชุดุงุฑู '2024-04-13_23-42-46' ู ุนู
- Error when trying to build for NextJS 12.3 HOT 2
- Pages config is not injected when generators using with typescript HOT 3
- Support configuring more static site generators and build tools HOT 11
- Showing warning `'set-output' command is deprecated` HOT 1
- Wrong! Rename main.js to index.js
- Add note to include `deployment` as typical trigger when using this action? HOT 2
- Configuration seems to struggle with Next.js PWA configurations HOT 3
- Incorrect link "all code changes" for v3.0.0 release HOT 1
- Proxy issues when using self-hosted runners HOT 1
- [Next.js] basePath should be / when using a custom URL HOT 7
- The action ignores .ts config and creates default nuxt.config.js HOT 6
- thank u
- Add support for generating `preview: true` deployment environment URLs? ๐งช HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from configure-pages.