Giter Club home page Giter Club logo

Comments (4)

marten-seemann avatar marten-seemann commented on June 30, 2024 1

That's all but the most trivial ones like the checkout action.

I have mixed feelings about this. As we're using this workflow only for public repositories, the worst thing that could happen is that the attacker gains access to the ipldbot GitHub token. The compromise of a GitHub account of anyone who has write access to the GitHub org would probably give an attacker more permission than that.

Forking every action will a considerable overhead going forward. Pinning it to a specific version, as suggested by the doc you shared, should achieve the same effect (unless we're worried about SHA collisions or the repository going offline), offering an easier upgrade path.

from .github.

Stebalien avatar Stebalien commented on June 30, 2024

I have mixed feelings about this. As we're using this workflow only for public repositories, the worst thing that could happen is that the attacker gains access to the ipldbot GitHub token. The compromise of a GitHub account of anyone who has write access to the GitHub org would probably give an attacker more permission than that.

Which would give write/merge-access to the author of the action. And yeah, the compromise of a GitHub account would definitely be worse... but I'm not sure how that's relevant. By using third-party actions, we're effectively adding these third-parties to our org, increasing our attack surface significantly.

Forking every action will a considerable overhead going forward.

Pinning SHA hashes is probably good enough for now (although more difficult to audit/enforce as we can't just set a "only allow actions from X/Y/Z orgs policy).

from .github.

mvdan avatar mvdan commented on June 30, 2024

I'm in favor of pinning hashes for now. I seem to understand that git is currently transitioning away from just supporting SHA-1, so I expect that sooner than later we'll be able to just rely on hashes in every case, even when the actions run with secrets.

I agree that forking and maintaining forks seems like too much overhead for little added practical benefit. In my opinion it's on GitHub to make Actions easier to use in a secure way, and I hope they add more measures in that direction.

from .github.

Stebalien avatar Stebalien commented on June 30, 2024

supporting SHA-1, so I expect that sooner than later we'll be able to just rely on hashes in every case, even when the actions run with secrets.

It'll likely be a few years, unless something magically changes.

from .github.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.