Comments (4)
That's all but the most trivial ones like the checkout
action.
I have mixed feelings about this. As we're using this workflow only for public repositories, the worst thing that could happen is that the attacker gains access to the ipldbot GitHub token. The compromise of a GitHub account of anyone who has write access to the GitHub org would probably give an attacker more permission than that.
Forking every action will a considerable overhead going forward. Pinning it to a specific version, as suggested by the doc you shared, should achieve the same effect (unless we're worried about SHA collisions or the repository going offline), offering an easier upgrade path.
from .github.
I have mixed feelings about this. As we're using this workflow only for public repositories, the worst thing that could happen is that the attacker gains access to the ipldbot GitHub token. The compromise of a GitHub account of anyone who has write access to the GitHub org would probably give an attacker more permission than that.
Which would give write/merge-access to the author of the action. And yeah, the compromise of a GitHub account would definitely be worse... but I'm not sure how that's relevant. By using third-party actions, we're effectively adding these third-parties to our org, increasing our attack surface significantly.
Forking every action will a considerable overhead going forward.
Pinning SHA hashes is probably good enough for now (although more difficult to audit/enforce as we can't just set a "only allow actions from X/Y/Z orgs policy).
from .github.
I'm in favor of pinning hashes for now. I seem to understand that git is currently transitioning away from just supporting SHA-1, so I expect that sooner than later we'll be able to just rely on hashes in every case, even when the actions run with secrets.
I agree that forking and maintaining forks seems like too much overhead for little added practical benefit. In my opinion it's on GitHub to make Actions easier to use in a secure way, and I hope they add more measures in that direction.
from .github.
supporting SHA-1, so I expect that sooner than later we'll be able to just rely on hashes in every case, even when the actions run with secrets.
It'll likely be a few years, unless something magically changes.
from .github.
Related Issues (20)
- Add github action for nightly build HOT 2
- Support protected branches for the js release flow
- can't use GitHub secrets in repo-specific setup HOT 3
- uCI Release: Go v1.20.0 HOT 13
- Go test -cover breaks certain tests HOT 3
- Cache go modules and build cache HOT 2
- Better go linters HOT 2
- default + required in reusable workflow seems to be broken HOT 5
- Automerge might starve other workflows HOT 1
- Unified CI config update job broken on all js repos HOT 1
- draft release notes not updated on force push HOT 1
- patch release incorrectly cut on master, not on release branch
- Commit messages in auto-merged PRs do not follow conventional commits HOT 1
- Disable codecov annotations on PRs HOT 2
- Release Check workflow not comparing the correct versions for Golang RCs
- Thoughts about the future of Unified CI HOT 3
- Find stale repositories should also error on inaccessible repos HOT 1
- Releaser workflow marks latest releases incorrectly
- Configure workflows triggered on pull_request to run on base change HOT 1
- proposal: better go test outputs HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from .github.