-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Dangerous-Workflow: Check for workflow_run trigger #3892
✨ Dangerous-Workflow: Check for workflow_run trigger #3892
Conversation
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Raghav Kaul <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3892 +/- ##
==========================================
- Coverage 75.50% 70.76% -4.75%
==========================================
Files 231 232 +1
Lines 15669 15825 +156
==========================================
- Hits 11831 11198 -633
- Misses 3109 3940 +831
+ Partials 729 687 -42 |
/scdiff generate Dangerous-Workflow |
Couple of comments:
I think what we're missing is capturing the context #3861., which is that one of the workflow referenced in something unclear to me: does workflow_run accept a |
|
Ah, I assumed
We only check for
We cover this, but don't explicitly differentiate from composite actions that exist in the same repo. I can modify the code to cover this case though.
Isn't artifact upload (publishing) what we care about? |
|
We care about downloading an artifact produced by the other workflow.
See #3861 (comment) |
My suggestion is to keep this PR simple and do this in another PR. There has not been many complains (AFAIK) about false positives introduced by the lack of permission checking. Maybe it's uncommon in practice so we need not prioritize this?
+1
I thought it does work |
This pull request has been marked stale because it has been open for 10 days with no activity |
Not stale, waiting for update on #3861. |
This pull request has been marked stale because it has been open for 10 days with no activity |
This pull request has been marked stale because it has been open for 10 days with no activity |
@raghavkaul still interested in getting this PR cross the finish line? |
This pull request has been marked stale because it has been open for 10 days with no activity |
What kind of change does this PR introduce?
Check for privileged usage of
on: workflow_run
trigger in GitHub Workflows.secrets.GITHUB_TOKEN
Which issue(s) this PR fixes
Fixes #3861.
Special notes for your reviewer
The largest function,
checkUsesGithubToken
checks ifsecrets.GITHUB_TOKEN
is passed to another workflow. There are a lot ofnil
checks. Another approach is to look through the GitHub Workflow AST, but I wasn't sure if this was possible with actionlint.