[FEATURE] Install Gradle Wrapper Validation Action org-wide #199
Comments
|
Checksum validation at runtiime is a good idea, let's do it. But I think the "malicious actor" story doesn't quite apply, because you're not such an actor and there's a code review from another actor. It's just that we can't examine binaries, so trust but verify. |
|
@dbwiddis unfortunately we have other repos which dont use java/gradle build system. |
|
@dbwiddis What do you want to do about this one? |
|
I plan to convert this to a template: https://docs.github.com/en/actions/using-workflows/creating-starter-workflows-for-your-organization Just haven't had the time to do it but haven't forgotten. |
|
I've updated my PR opensearch-project/.github#118 to create a template. It will show as a Starter workflow for any project that has a gradle wrapper in its project root. LMK if you want me to run a campaign to suggest maintainers who use the gradle wrapper to use this workflow. Once the PR is merged I will create a separate PR to add instructions to https://github.com/opensearch-project/opensearch-plugins/blob/main/WORKFLOWS.md |
|
Closed opensearch-project/.github#118. Leaving this issue open as a reminder to me to add the workflow in |
|
Moved. You could start with opensearch-plugin-template-java. |
Is your feature request related to a problem?
The Gradle Wrapper jar file is used extensively by organization repos to run tests. The jar file included with the installation is a binary executable. A nefarious actor could attempt to upload an arbitrary executable containing malicious code under an innocent-sounding PR like "Update Gradle Wrapper". I actually did such a PR (although with valid code) here and here.
Here's what the updated binary looked like during review:
I'm not sure if the reviewers validated that it was legitimate or just trusted me. :-)
Gradle publishes a Gradle Wrapper Validation Action which can easily be added to a repo's PR workflow. All it does is validate that the SHA-256 checksum matches a legitimate release.
That validation workflow is only presently installed on three opensearch-project repos.
What solution would you like?
Install that workflow to run organization-wide.
Practically speaking, it's copying the content of one of the other workflows from their
.githubdirectory to the.githubdirectory of this project. Individual projects can override this default if they choose.What alternatives have you considered?
Recommending all repo-owners create the workflow, duplicating the configuration.
Do you have any additional context?
See the Gradle Wrapper Validation Action README.
The text was updated successfully, but these errors were encountered: