Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GitHub Action to lint incoming GitHub Actions #188

Merged
merged 1 commit into from
Nov 29, 2023
Merged

Add GitHub Action to lint incoming GitHub Actions #188

merged 1 commit into from
Nov 29, 2023

Conversation

wadells
Copy link
Contributor

@wadells wadells commented Nov 29, 2023
edited
Loading

This workflow will check that all changed and added GitHub actions are either pinned to a hash, or on an allow list. This workflow is built to be reusable across Teleport repos, in addition to enforcing standards in this repo.

I chose to add it here to benefit from shared dorny/paths-filter logic as well as a common allow list of "safe actions".

Contributes to https://github.com/gravitational/security-findings/issues/50

Testing

I tested a version of this workflow in wadells/gha-test. Check out the follow pull request to see it in action:

wadells/gha-test#3

I'll do further testing as we roll this out to different repos. This merge will only affect this repo for the time being.

Notes

teleport and teleport.e are already compliant with this lint config for all supported branches. I plan to add this to all Production-Internal and Production-Public repos (as defined in the GitHub Enterprise RFD). For repos that aren't yet compliant (such as shared-workflows) I'll make sure to fix master before rollout.

zgosalvez/github-actions-ensure-sha-pinned-actions is currently broken (it allows stuff through that it shouldn't). I've got a PR out to fix it:

zgosalvez/github-actions-ensure-sha-pinned-actions#132

@wadells
Add GitHub Action to lint incoming GitHub Actions
7b95680 
This workflow will check that all changed and added GitHub actions are
either pinned to a hash, or on an allow list. This workflow is built to
be reusable across Teleport repos, in addition to enforcing standards in
this repo.
@wadells wadells requested review from a team November 29, 2023 00:40
@wadells wadells mentioned this pull request Nov 29, 2023
Merged
@wadells wadells requested a review from adaadb6 November 29, 2023 22:37
@wadells wadells merged commit 18bcfe5 into main Nov 29, 2023
7 checks passed
@wadells wadells deleted the walt/gha-lint branch November 29, 2023 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adaadb6 adaadb6 adaadb6 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wadells @adaadb6