forked from apache/arrow
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ARROW-17621: [CI] Audit workflows (apache#14155)
In this PR I: - reduced the scope of the automatically generated `GITHUB_TOKEN` as much as possible (technically `contents:none` would be the minimum but it is a bit unintuitive as it does not prevent checkout of public repos, I set `contents:read` in those cases) - update all actions used to the newest version (checking for breaking changes, only case is actions/github-script which remains on v3 for that reason -> follow up) - move the creation of envvars containing secrets as close to their usage as possible (-> the step they are used in), this duplicates them in workflows with multiple jobs but is safer. I have opted **NOT** to pin the different actions by SHA as recommended in some places as the con outweigh the possible protection in my opinion. The main danger with pinning tags or branches is that a malicious actor changes the commit the tag points to and exfiltrates secrets (either repository secrets or in case of private repos code/ip) or takes some other damaging action like deleting branches, rewriting history etc.. We only ever pass actions the `GITHUB_TOKEN` which is ephemeral (deleted after workflow is finished) and scope limited so exfiltration of that token would worst case allow an attacker to create/delete labels and pr comments as well as modify PR branches (if the submitter activated the checkbox for maintainer access). Actions can not access secrets without the workflow author explicitly passing them as input (envvars might reveal them though) The Apache Org limits the actions that can be used in repos, so we only use well known allow-listed actions, while this does of course not prevent malicious actions it reduces the risk substantially. Pinning SHAs would mitigate these risks (provided the action at that sha was audited...) but would also necessitate regularly checking + re-auditing the actions as to not miss security patches in these actions (e.g. [here](https://github.com/matlab-actions/setup-matlab/releases/tag/v1.1.1)). IMHO that would be a considerable effort (+ needing real expertise in typescript/node to spot any malicious additions outside of blatant secret exfiltration or nuking) resulting in a small gain. Lead-authored-by: Jacob Wujciak-Jens <[email protected]> Co-authored-by: assignUser <[email protected]> Signed-off-by: Sutou Kouhei <[email protected]>
- Loading branch information
1 parent
d21c776
commit 32f2665
Showing
19 changed files
with
193 additions
and
82 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -29,9 +29,14 @@ on: | |
- edited | ||
- synchronize | ||
|
||
# NOTE: not using the "cancel-in-progress" feature here as the group key | ||
# does not have enough information for linking it to a particular PR | ||
concurrency: | ||
group: ${{ github.workflow }}-${{ github.repository }}-${{ github.event.number }} | ||
cancel-in-progress: true | ||
|
||
permissions: | ||
contents: read | ||
pull-requests: write | ||
|
||
jobs: | ||
process: | ||
name: Process | ||
|
@@ -41,9 +46,8 @@ jobs: | |
|
||
- name: Comment JIRA link | ||
if: | | ||
github.event_name == 'pull_request_target' && | ||
(github.event.action == 'opened' || | ||
github.event.action == 'edited') | ||
(github.event.action == 'opened' || | ||
github.event.action == 'edited') | ||
uses: actions/github-script@v3 | ||
with: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
@@ -53,9 +57,8 @@ jobs: | |
- name: Check title | ||
if: | | ||
github.event_name == 'pull_request_target' && | ||
(github.event.action == 'opened' || | ||
github.event.action == 'edited') | ||
(github.event.action == 'opened' || | ||
github.event.action == 'edited') | ||
uses: actions/github-script@v3 | ||
with: | ||
github-token: ${{ secrets.GITHUB_TOKEN }} | ||
|
@@ -65,9 +68,8 @@ jobs: | |
- name: Check Jira Issue | ||
if: | | ||
github.event_name == 'pull_request_target' && | ||
(github.event.action == 'opened' || | ||
github.event.action == 'edited') | ||
(github.event.action == 'opened' || | ||
github.event.action == 'edited') | ||
uses: actions/github-script@v3 | ||
with: | ||
debug: true | ||
|
@@ -78,10 +80,9 @@ jobs: | |
- name: Assign GitHub labels | ||
if: | | ||
github.event_name == 'pull_request_target' && | ||
(github.event.action == 'opened' || | ||
github.event.action == 'synchronize') | ||
uses: actions/[email protected] | ||
(github.event.action == 'opened' || | ||
github.event.action == 'synchronize') | ||
uses: actions/labeler@4 | ||
with: | ||
repo-token: ${{ secrets.GITHUB_TOKEN }} | ||
configuration-path: .github/workflows/dev_pr/labeler.yml | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.