-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update how we handle at-risk action sources #377
Conversation
# Conflicts: # .github/workflows/nightly.yml # .github/workflows/pr_test.yml # .rubocop.yml # Gemfile
# Conflicts: # .github/workflows/nightly.yml # .github/workflows/pr_test.yml # .rubocop.yml # Gemfile # Conflicts: # metadata.json
puppetlabs/puppetlabs-testing#329 has passed green from this change |
71339e4
to
2a3ce25
Compare
I think these are valid concerns. In Voxpupuli we only rely on Forking sounds like a decent solution but using a branch named |
That's a good catch, I'll update that. |
When making changes to the workflows we might need to keep multiple versions alive while rolling out the changes.
Security Considerations on Github Actions
As explained in Use GitHub actions at your own risk,
when running github actions from outside the organisation,
there is a risk that symbolic references get taken over by malicious actors.
Similar things happened before in other ecosystems and other packaging registries.
The blog post goes on to suggest pinning to specific SHAs and provides some tooling to do so.
The downsides for us are that the tooling doesn't work well with our ERB templating,
and the additional cost of updating the SHAs across all modules.
Instead we fork at-risk actions into the puppetlabs namespace and use them from there.
This allows us to consume updates at our pace and deploy changes across all modules without delay,
while avoiding actions that surreptitiously change while we're not looking.
Since this still has some overhead, we exclude some "big-name" action maintainers:
Updating actions guitelines
To keep efforts low when updating actions, we list all forked actions here.
To keep confusion to a minimum, the version we use is always on a
pdk-templates
branch.This way we can update (
git fetch
/git push
) forked repositories with no prejudice, test out the changes, and only then update thepdk-templates
branch.The repos have restricted access only to @modules team members.