-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 feat: release homebrew formulae #1376
Conversation
Integration tests success for |
brews: | ||
- tap: | ||
owner: ossf | ||
name: homebrew-tap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How will this action have permission to write to another repository?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This token should have enough permissions to do that, right, if not, it'll fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@naveensrinivasan I think we should create PAT to write another repository, the default actions token only has perms in the current repo 🙋🏻♂️ I asked to the maintainer of the GoReleaser project, he told me like that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to create one and store it on GitHub secret, maybe name it like 'GH_PAT', then we can use it 🙋🏻♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To summarize, here's my take on this:
- I would really really prefer not to go the PAT route. If this is doable, IMO we should wait until then.
- If not, I'm ok biting the bullet for now and submitting this PR as long as there is some commitment from the
goreleaser
team that there will be a better and more secure alternative in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something which only allows write access to homebrew-tap repo.
This is exactly what I want right now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I need a PAT specific for the homebrew-tap
repository, as I said above, pleasesee.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we write a gorelease
workflow in the homebrew-tap
repo, we could use the default GitHub token without a hardcoded non-rotated PAT, right?
Something along the lines of:
- workflows on
ossf/scorecard
runs upon release usinggorelease
. Instead of creating the tap in the workflow, we fire an event (via GH APIs?) to theossf/homebrew-tap
repo to trigger a workflow run. We ideally sign the request with cosign keyless and verify it from theossf/homebrew-tap
workflow. - The
ossf/homebrew-tap
workflow runs and verifies the signature. Then it clones theossf/scorecard
repo at the right commit and compile the code. Alternatively (and preferrably), it just pulls the new release and extract the already-compiled binaries.
Temporary solution: instead of firing an GitHub API from ossf/scorecard
to ossf/homebrew-tap
, we could start by simply manually creating a release on ossf/homebrew-tap
and configure a gorelease
workflow (as we currently do for scorecard): pulls the latest release from ossf/scorecard
, extract the binaries and let gorelease
do its magic.
Note1: I don't know what APIs we'd use to trigger a remote workflow. Maybe one to trigger repository_dispatch
if it's feasible to do that from a remote repo's workflow. Could also just use a pull request (a little ugly though)...
Note2: I wonder if GitHub supports using OIDC between two workfloads on it own platform, i.e. between two repos' workflow https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect. I'll create an issue to ask them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PTAL @caarlos0 🙋🏻♂️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! @azeemshaikh38 @laurentsimon Are you guys ok with merging this?
Signed-off-by: Batuhan Apaydın <[email protected]>
0f87dc7
to
0ba7c02
Compare
Integration tests success for |
we're all a bit hesitant to use a write PAT because it's dangerous. In the spirit of OSSF and trying to help everyone improve their security posture, how about trying the following:
I'd imagine we could even blog or tweet about it if it works and improves repo security. wdut? |
Now that we have the |
probably not... |
it seems definitely more secure, but a bit complicated, isn't it? Maybe we can find another way to make it simpler (I still don't know how), @caarlos0 can help us here because it is more like a common problem, if we can find a way to do it, we can write a blog post about it to give people who might encounter with the same problem more information how they can solve the problem. |
@developer-guy This PR address the issue about |
Signed-off-by: Batuhan Apaydın [email protected]
Fixes #1364
feature
There is no active support
create HomeBrew formula for scorecard
No, it doesn't introduce any breaking change.
Users now can be able to install
scorecard
via brew.