Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: potential CI injections #15720

Merged
merged 4 commits into from
Dec 24, 2024
Merged

fix: potential CI injections #15720

merged 4 commits into from
Dec 24, 2024

Conversation

erikburt
Copy link
Collaborator

Changes

  • Updated all references of actions/checkout to use persist-credentials: false
  • Fixed basic possible template injection patterns with high severity

Motivation


https://smartcontract-it.atlassian.net/browse/RE-3341

@erikburt erikburt self-assigned this Dec 16, 2024
@erikburt erikburt requested review from a team as code owners December 16, 2024 21:41
Comment on lines +18 to +19
with:
persist-credentials: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to do this by default so that we don't have to spam it around everywhere? (and remember to add it in the future for new workflows?)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

afaik the only way to achieve this would be by wrapping actions/checkout in a composite GHA and this as the default.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ yeah this would be the only way

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, I don't think it matters that much it was an easy remedy to a lot of warning level errors.

I might try and add it to gha-workflow-validator so it will annotate these references to make sure there's persist credentials.

rafaelfelix
rafaelfelix previously approved these changes Dec 17, 2024
jmank88
jmank88 previously approved these changes Dec 17, 2024
lukaszcl
lukaszcl previously approved these changes Dec 18, 2024
Copy link
Contributor

github-actions bot commented Dec 18, 2024

AER Report: CI Core ran successfully ✅

aer_workflow , commit

AER Report: Operator UI CI ran successfully ✅

aer_workflow , commit

jmank88
jmank88 previously approved these changes Dec 18, 2024
@cl-sonarqube-production
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@chainchad chainchad added this pull request to the merge queue Dec 24, 2024
Merged via the queue into develop with commit 59cdff7 Dec 24, 2024
210 checks passed
@chainchad chainchad deleted the fix/gha-workflow-zizmor branch December 24, 2024 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants