Review Github Actions for Security #1737
Description
We are using Github Actions in several places:
- jamulus: Autobuild (including Releases and CodeQL)
- jamuluswebsite:
- Jekyll
- Merge between branches
We are not only using official Github-provided Actions there, but also multiple third-party actions (see below).
I am not seeing any use of the permission: keyword there, implying that they run with default permissions. This means that those actions have access to a GITHUB_TOKEN with read and write permission to the relevant repo, as far as I understand.
I have reviewed the following docs and articles:
https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
https://francoisbest.com/posts/2020/the-security-of-github-actions
My conclusion is that we should do the following:
- jamulus: Review all referenced non-official actions for correctness and safety and reference them by sha1 hash instead of branch or tag. CI: Pin Github action dependencies #2779
- jamuluswebsite: Review all referenced non-official actions for correctness and safety and reference them by sha1 hash instead of branch or tag.
- Ensure that Dependabot is active as it supports alerting us if we miss updates to those pinned actions. Github: Enable dependabot for workflow dependencies #2778
- Enable Dependabot on jamuluswebsite as well
- Set Github default action permissions to be restrictive (read-only) and update those workflows which need it to have write permission as well.
- Document the necessity to keep all of this in mind when reviewing PRs which touch these workflow files. I'm planning to include this in the Admin wiki page.
Note: I'm little worried about Github-official actions such as actions/ or github/ (we are trusting Github anyway!) or actions for other large open source projects with high reputation (ruby/), but I do worry about actions by third-party persons or orgs which we (or at least I?) don't know.
$ grep uses: jamulus*/.github/workflows/*.yml
jamulus/.github/workflows/autobuild.yml: uses: actions/checkout@v2
jamulus/.github/workflows/autobuild.yml: uses: dev-drprasad/[email protected]
jamulus/.github/workflows/autobuild.yml: uses: actions/create-release@v1
jamulus/.github/workflows/autobuild.yml: uses: maxim-lobanov/setup-xcode@v1
jamulus/.github/workflows/autobuild.yml: uses: actions/checkout@v2
jamulus/.github/workflows/autobuild.yml: uses: github/codeql-action/init@v1
jamulus/.github/workflows/autobuild.yml: uses: actions/upload-artifact@v2
jamulus/.github/workflows/autobuild.yml: uses: actions/upload-artifact@v2
jamulus/.github/workflows/autobuild.yml: uses: devbotsxyz/xcode-notarize@d7219e1c390b47db8bab0f6b4fc1e3b7943e4b3b
jamulus/.github/workflows/autobuild.yml: uses: devbotsxyz/xcode-staple@v1
jamulus/.github/workflows/autobuild.yml: uses: actions/upload-release-asset@v1
jamulus/.github/workflows/autobuild.yml: uses: actions/upload-release-asset@v1
jamulus/.github/workflows/autobuild.yml: uses: github/codeql-action/analyze@v1
jamulus/.github/workflows/coding-style-check.yml: - uses: actions/checkout@v2
jamulus/.github/workflows/coding-style-check.yml: - uses: DoozyX/clang-format-lint-action@2a28e3a8d9553f244243f7e1ff94f6685dff87be
jamulus/.github/workflows/update-copyright-notices.yml: - uses: actions/checkout@v2
jamulus/.github/workflows/update-copyright-notices.yml: - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/add-lang.yml: - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/add-lang.yml: uses: actions/[email protected]
jamuluswebsite/.github/workflows/add-lang.yml: uses: EndBug/add-and-commit@v7
jamuluswebsite/.github/workflows/add-lang.yml: uses: peter-evans/create-or-update-comment@v1
jamuluswebsite/.github/workflows/jekyll.yml: - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/jekyll.yml: - uses: dorny/paths-filter@v2
jamuluswebsite/.github/workflows/jekyll.yml: uses: actions/[email protected]
jamuluswebsite/.github/workflows/jekyll.yml: uses: EndBug/add-and-commit@v7
jamuluswebsite/.github/workflows/jekyll.yml: - uses: actions/upload-artifact@v2
jamuluswebsite/.github/workflows/main.yml: - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/main.yml: uses: actions/[email protected]
jamuluswebsite/.github/workflows/main.yml: - uses: dorny/paths-filter@v2
jamuluswebsite/.github/workflows/main.yml: uses: EndBug/add-and-commit@v7
jamuluswebsite/.github/workflows/main.yml: uses: ruby/setup-ruby@v1
jamuluswebsite/.github/workflows/main.yml: uses: limjh16/jekyll-action-ts@v2
jamuluswebsite/.github/workflows/main.yml: uses: peaceiris/actions-gh-pages@v3
jamuluswebsite/.github/workflows/main.yml: - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/main.yml: uses: devmasx/[email protected]
Not sure, if/when I'll have time for further work on this. Feel free to comment here and take over.
cc @jamulussoftware/maindevelopers @nefarius2001
See also:
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
Metadata
Metadata
Assignees
Type
Projects
Status