Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update how we handle at-risk action sources #377

Merged
merged 4 commits into from
Jan 11, 2021
Merged

Update how we handle at-risk action sources #377

merged 4 commits into from
Jan 11, 2021

Conversation

DavidS
Copy link
Contributor

@DavidS DavidS commented Dec 18, 2020
edited
Loading

Security Considerations on Github Actions

As explained in Use GitHub actions at your own risk,
when running github actions from outside the organisation,
there is a risk that symbolic references get taken over by malicious actors.
Similar things happened before in other ecosystems and other packaging registries.
The blog post goes on to suggest pinning to specific SHAs and provides some tooling to do so.
The downsides for us are that the tooling doesn't work well with our ERB templating,
and the additional cost of updating the SHAs across all modules.
Instead we fork at-risk actions into the puppetlabs namespace and use them from there.
This allows us to consume updates at our pace and deploy changes across all modules without delay,
while avoiding actions that surreptitiously change while we're not looking.

Since this still has some overhead, we exclude some "big-name" action maintainers:

Updating actions guitelines

To keep efforts low when updating actions, we list all forked actions here.
To keep confusion to a minimum, the version we use is always on a pdk-templates branch.
This way we can update (git fetch/git push) forked repositories with no prejudice, test out the changes, and only then update the pdk-templates branch.

The repos have restricted access only to @modules team members.

@DavidS DavidS requested review from a team as code owners December 18, 2020 13:44
DavidS added a commit to DavidS/puppetlabs-testing that referenced this pull request Dec 18, 2020
@DavidS
Test for puppetlabs/pdk-templates#377
ac2ab62
DavidS added a commit to DavidS/puppetlabs-testing that referenced this pull request Dec 18, 2020
@DavidS
Test for puppetlabs/pdk-templates#377
f396619 
# Conflicts:
#	.github/workflows/nightly.yml
#	.github/workflows/pr_test.yml
#	.rubocop.yml
#	Gemfile
DavidS added a commit to DavidS/puppetlabs-testing that referenced this pull request Dec 18, 2020
@DavidS
Test for puppetlabs/pdk-templates#377
450df7e 
# Conflicts:
#	.github/workflows/nightly.yml
#	.github/workflows/pr_test.yml
#	.rubocop.yml
#	Gemfile

# Conflicts:
#	metadata.json
@DavidS
Copy link
Contributor Author

DavidS commented Dec 18, 2020

puppetlabs/puppetlabs-testing#329 has passed green from this change

@DavidS DavidS changed the title Update kvrhdn/gha-buildevents to current dev version; pin to v1 for f… Update how we handle at-risk action sources Jan 5, 2021
@DavidS DavidS mentioned this pull request Jan 5, 2021
Merged
@ekohl
Copy link
Contributor

ekohl commented Jan 5, 2021

I think these are valid concerns. In Voxpupuli we only rely on actions/checkout and ruby/setup-ruby and trust those. I've tried to keep everything minimal. My guidelines are to only perform things you can execute yourself in a shell (rake tasks) and limit it to what needs to happen (git checkout, ensure env has the needed tools). So far I haven't really missed instrumentation like honeycomb or report to Slack (I'm not even on Slack, but not sure I would look at them in IRC) though I really wish there was a better way to report test suites (https://github.com/Drieam/rspec-github is on my list to explore).

Forking sounds like a decent solution but using a branch named pdk-templates means you can't really do major versions. I'd advise to at least use some v1 tag in there.

@DavidS
Copy link
Contributor Author

DavidS commented Jan 5, 2021

Forking sounds like a decent solution but using a branch named pdk-templates means you can't really do major versions. I'd advise to at least use some v1 tag in there.

That's a good catch, I'll update that.

@tphoney tphoney marked this pull request as draft January 5, 2021 14:29
@DavidS
Make space for having an action-version
1c20193 
When making changes to the workflows we might need to keep multiple versions alive while rolling out the changes.
@DavidS DavidS marked this pull request as ready for review January 5, 2021 14:56
ekohl
ekohl reviewed Jan 5, 2021
View reviewed changes
README.md Show resolved Hide resolved
@sanfrancrisko sanfrancrisko self-assigned this Jan 11, 2021
@sanfrancrisko sanfrancrisko merged commit 04a5089 into puppetlabs:main Jan 11, 2021
@DavidS DavidS deleted the update-buildevents branch January 12, 2021 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

@sanfrancrisko sanfrancrisko sanfrancrisko approved these changes

Assignees

@sanfrancrisko sanfrancrisko

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DavidS @ekohl @sanfrancrisko