Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: Hashpin github-actions with dangerous permissions #7153

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

CI: Hashpin github-actions with dangerous permissions #7153

wants to merge 4 commits into from

Conversation

diogoteles08
Copy link
Contributor

Closes #7119

@diogoteles08
ci(github-actions): hashpin actions with dangerous permissions
a478947 
This includes actions with write permisisons but also actions that have
access to critical secrets, such as the `secrets.ADMIN_GITHUB_TOKEN`

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
@github-actions GitHub Actions
Copy link
Contributor

Binder 👈 Launch a Binder on branch diogoteles08/notebook/ci/hashpin-dependencies

@diogoteles08
Copy link
Contributor Author

Hey @krassowski, I've updated the PR after a version update dated after my initial PR, and resolved the merge conflicts.

It seems like the "Enforce PR label" is still blocking the merge, let me know if there is anything I can do to help solving it.

Cheers,

@krassowski
Copy link
Member

Will we get clever dependabot updates, or will we need to manually update the pins?

@jtpio
Copy link
Member

jtpio commented Dec 18, 2023
edited

Should this be discussed in a team compass repo maybe? For example https://github.com/jupyterlab/team-compass?

These actions are used by many Jupyter projects, and if going with these pins then there is no reason for them to be specific to the notebook repo, but would likely be relevant to other repos as well? For example https://github.com/jupyterlab/jupyterlab, https://github.com/jupyterlab/jupyterlab_server, https://github.com/jupyter-server/jupyter_server, and more.

jtpio
jtpio reviewed Dec 18, 2023
View reviewed changes
.github/workflows/playwright-update.yml

- name: Build
uses: ./.github/actions/build-dist

- uses: actions/download-artifact@v3
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So we can't trust GitHub's own actions anymore?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should just "not trust github", the company has huge credibility and should be more trustful than random or less-known workflows. But we must recognize that the security of their actions is held differently than the security of any of their other infrastructures. Their main infrastructure is closed-source and should have their own security (I can't really tell, but we hope (?)); but their actions are just open source repositories (see https://github.com/actions/download-artifact), and could be vulnerable to risks like any others.

In their own documentation, Github mentions that using tag-versioning can be risky even while only using actions from trusted authors.

And besides that, if we're already hash-pinning the other actions that are run in sensitive context, there is also a "why not" factor to also hash-pin the sensitive ones from GitHub.

@diogoteles08
Copy link
Contributor Author

Will we get clever dependabot updates, or will we need to manually update the pins?

You'll receive clever dependabot updates! It would update them at the same pace you're already used to, and it would still keep a comment with the human-readable version used =).

If you wish, we can also configure it to update all github actions in a single monthly PR, for example.

Should this be discussed in a team compass repo maybe? For example https://github.com/jupyterlab/team-compass?

Let me know if you want my help raising this discussion anywhere else. I'd be happy to help =)

@krassowski krassowski mentioned this pull request Dec 19, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtpio jtpio jtpio left review comments

Assignees

@diogoteles08 diogoteles08

Labels
maintenance
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hash-pin GitHub Actions that have access to sensitive permissions and secrets
3 participants
@diogoteles08 @krassowski @jtpio