Add secure-checkout action (#971)

* Add secure checkout action Signed-off-by: Ian Lewis <[email protected]> * Update checkout pre-submit check Signed-off-by: Ian Lewis <[email protected]> * Rename script Signed-off-by: Ian Lewis <[email protected]> * Update checkout pre-submit Signed-off-by: Ian Lewis <[email protected]> * Don't call verify-checkout and add comment * Remove verify-checkout Signed-off-by: Ian Lewis <[email protected]> * fix script path Signed-off-by: Ian Lewis <[email protected]> * Update checkout.sh Signed-off-by: Ian Lewis <[email protected]>
slsa-framework · Oct 11, 2022 · 5d257ff · 5d257ff
1 parent 62df09d
commit 5d257ff
Show file tree

Hide file tree

Showing 6 changed files with 97 additions and 51 deletions.
diff --git a/.github/actions/checkout-go/action.yml b/.github/actions/checkout-go/action.yml
@@ -49,16 +49,14 @@ runs:
 
     - name: Checkout the repository with default ref
       if: inputs.ref == ''
+      # TODO(github.com/slsa-framework/slsa-github-generator/issues/968) use secure-checkout
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
       with:
         fetch-depth: 1
         persist-credentials: false
         repository: "${{ inputs.repository }}"
         token: "${{ inputs.token }}"
 
-    - name: Verify checkout
-      uses: slsa-framework/slsa-github-generator/.github/actions/verify-checkout@e3220805577deb9d193f64e519abcb3b50851df5
-
     - name: Set up Go environment
       uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # tag=v3.3.0
       with:

diff --git a/.github/actions/checkout-node/action.yml b/.github/actions/checkout-node/action.yml
@@ -49,16 +49,14 @@ runs:
 
     - name: Checkout the repository with default ref
       if: inputs.ref == ''
+      # TODO(github.com/slsa-framework/slsa-github-generator/issues/968) use secure-checkout
       uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
       with:
         fetch-depth: 1
         persist-credentials: false
         repository: "${{ inputs.repository }}"
         token: "${{ inputs.token }}"
 
-    - name: Verify checkout
-      uses: slsa-framework/slsa-github-generator/.github/actions/verify-checkout@e3220805577deb9d193f64e519abcb3b50851df5
-
     - name: Set up Node environment
       uses: actions/setup-node@2fddd8803e2f5c9604345a0b591c3020ee971a93 # tag=v3.4.1
       with:

diff --git a/.github/actions/secure-checkout/action.yaml b/.github/actions/secure-checkout/action.yaml
@@ -0,0 +1,66 @@
+name: "secure-checkout"
+description: "Checkout and verify a commit sha for a GitHub repo"
+
+input:
+  repository:
+    description: "The repository to check out."
+    required: false
+    default: ${{ github.repository }} }}
+  sha:
+    description: "The SHA to checkout."
+    required: false
+    # NOTE: different from actions/checkout which takes any git ref.
+    # Users must provide a sha1 digest explicitly if not checking out the
+    # commit that triggered the event.
+    default: ${{ github.sha }} }}
+  token:
+    description: "Token used to fetch the repository."
+    required: false
+    default: ${{ github.token }}
+  persist-credentials:
+    description: "Whether to configure the token or SSH key with the local git config"
+    # NOTE: different from actions/checkout which defaults to true.
+    default: false
+  fetch-depth:
+    description: "Number of commits to fetch. 0 indicates all history for all branches and tags."
+    default: 1
+  strict:
+    description: "Whether to only allow checkouts from repositories that triggered the workflow."
+    default: true
+runs:
+  using: "composite"
+  steps:
+    - name: Verify input sha
+      env:
+        EXPECTED_SHA: "${{ inputs.sha }}"
+      # Verify that the input sha is a git digest (sha1).
+      run: |
+        [[ "${EXPECTED_SHA}" =~ ^[a-fA-F0-9]{40}$ ]]
+
+    - name: Checkout the repository
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+      with:
+        fetch-depth: 1
+        ref: ${{ inputs.sha }}
+        persist-credentials: ${{ inputs.persist-credentials }}
+        repository: ${{ inputs.repository }}
+        token: ${{ inputs.token }}
+
+    - name: Verify checkout
+      shell: bash
+      env:
+        CONTEXT: "${{ toJSON(github) }}"
+        EXPECTED_SHA: "${{ inputs.sha }}"
+      run: |
+        set -euo pipefail
+
+        git_sha="$(git log -1 --format='%H')"
+        if [[ "$git_sha" != "$EXPECTED_SHA" ]]; then
+            echo "mismatch git sha \"$git_sha\" != \"$EXPECTED_SHA\""
+            echo "GitHub context:"
+            echo "$CONTEXT"
+            echo
+            echo "Last 20 commits:"
+            git log -20
+            exit 1
+        fi
diff --git a/.github/actions/verify-checkout/action.yaml b/.github/actions/verify-checkout/action.yaml
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -13,21 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
-      - run: |
-
-          set -euo pipefail
-
-          # Verify that no internal Actions are using `actions/checkout`
-          # See reasoning in ./github/actions/README.md
-
-          # Split the command to ignore the `1` error `grep` returns when there is no match.
-          results=$(grep -r --include='*.yml' --include='*.yaml' -e 'actions/checkout@\|actions/checkout-go@\|actions/checkout-node@' .github/actions/* || true)
-          results=$(grep -v 'checkout-go\|checkout-node\|generate-builder' <<<"$results" || true)
-          if [[ "$results" != "" ]]; then
-              echo "Some Actions are using 'actions/checkout'"
-              echo "$results"
-              exit -1
-          fi
+      - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh
 
   check-dist-matrix:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/scripts/pre-submit.actions/checkout.sh b/.github/workflows/scripts/pre-submit.actions/checkout.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Verify that no internal Actions are using `actions/checkout`
+# See reasoning in ./github/actions/README.md
+
+set -euo pipefail
+
+# NOTE: All actions and workflows should not use actions/checkout. They should
+# use an action that uses secure-checkout such as checkout-go, checkout-node
+# etc. or use secure-checkout directly.
+# TODO(github.com/slsa-framework/slsa-github-generator/issues/626): Check workflows as well and not just actions.
+# TODO(github.com/slsa-framework/slsa-github-generator/issues/626): Disallow checkouts for repos other than the repo that triggered the action(i.e. github.repository).
+results=$(
+    grep -r \
+        --include='*.yml' \
+        --include='*.yaml' \
+        --exclude-dir='node_modules' \
+        --exclude-dir='secure-checkout' \
+        --exclude-dir='checkout-go' \
+        --exclude-dir='checkout-node' \
+        -e 'uses: *actions/checkout' \
+        .github/actions/* || true
+)
+if [[ "$results" != "" ]]; then
+    echo "Some Actions are using 'actions/checkout'"
+    echo "$results"
+    exit 1
+fi