-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow access to secrets for external contributors #574
Conversation
...after requiring manual approval through GitHub Environments
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does defaults.environment
work?
No, it doesn't seem to work; the editor highlights it as erroneous. In case it did, it would require approval for each individual step. It's a pity, because it would be both elegant and failsafe. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GH business logic of actions/checkout
is broken due to their (ab)use of on.pull_request_target
for two different purposes, one of which requires checkout with.ref: pull_request.head.sha
. No clean work-around until they implement something like on.pull_request_target_v2
😢
worth writing a short blog post about @0x2b3bfa0? (/CC @shcheklein) |
(I hope you didn't omit a comma before “@0x2b3bfa0” on purpose) 🥶 |
Run tests with secrets on external pull requests, securelySome open source projects in the cloud-native space can only be tested by means of integration tests against actual third-party APIs which require authentication ... https://thenewstack.io/the-cloud-native-community-needs-to-talk-about-testing ExampleConfiguration
Workflowon: pull_request_target
jobs:
authorize:
environment: ${{
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository &&
'external' ||
'internal' }}
runs-on: ubuntu-latest
steps:
- run: true
test:
needs: authorize
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha || github.ref }}
- run: printenv EXAMPLE
env:
EXAMPLE: ${{ secrets.EXAMPLE }} Explanation
The
The
Finally, the See Also
Internal
Failed AttemptsSend secrets to workflows from fork pull requestsBack in 2020, GitHub introduced an option to send secrets to workflows from fork pull requests, but only for private repositories. Require approval for all the outside collaboratorsAdmittedly, the Anecdotes
|
Hi @0x2b3bfa0, this approach seem to work decently well. Isn't it still prone to a race condition in which the attacker may push new changes after the workflow was approved? As explained in: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ Could the PR be updated with malicious code just after the approval? How different is it from the label case? |
Thank you @0x2b3bfa0! It works well indeed! |
The only issue I have now is that I have external collaborators with write access to my repo. I would like them to be able to run automatically the workflow - but it appears only member from the Edit: possible solution: have an environment variable for trusted contributors, and check on |
https://github.com/orgs/community/discussions/14564 would help as well |
Maybe something like this?
Beware of user name changes, though! |
Update: see this blog post we wrote
I forgot to explicitly add access to secrets for external contributors with
pull_request_target
but now it should work as expected. Please keep in mind that approving the test-external environment on malicious pull requests may lead to token exfiltration among other niceties.