From 15dec13ba3cb096036d46fd65a9a527d920c4ed6 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 23 Apr 2024 20:32:32 +0000 Subject: [PATCH 01/15] add post-commit Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 95 +++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 .github/workflows/post-commit.yml diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml new file mode 100644 index 000000000..f05ced427 --- /dev/null +++ b/.github/workflows/post-commit.yml @@ -0,0 +1,95 @@ +# A workflow to run against renovate-bot's PRs, +# such as `make package` after it updates the package.json and package-lock.json files. + +name: Post-Commit + +on: + workflow_dispatch: + inputs: + pr_number: + description: "The pull request number." + required: true + type: number + +env: + COMMAND: | + ( + cd ./actions/installer/dist/../ && \ + make clean && \ + make package && \ + true + ) + COMMIT_MESSAGE: "apply post-commit changes" + ARTIFACT: changes.patch + +jobs: + diff: + permissions: + pull-requests: read + outputs: + patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }} + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v4 + with: + repository: ${{ github.repository }} + persist-credentials: false + - name: checkout-pr + env: + GH_TOKEN: ${{ github.token }} + run: | + gh pr checkout ${{ inputs.pr_number }} + - name: run-command + run: ${{ env.COMMAND }} + - name: diff + id: diff + run: | + git add . + git status + git diff HEAD > ${{ env.ARTIFACT }} + [ -z "$(cat ${{ env.ARTIFACT }})" ] && RESULT=false || RESULT=true + echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" + - name: upload + uses: actions/upload-artifact@v4 + with: + name: ${{ env.ARTIFACT }} + path: ${{ env.ARTIFACT }} + + push: + if: needs.diff.outputs.patch_not_empty == 'true' + needs: diff + runs-on: ubuntu-latest + permissions: + pull-requests: read + contents: write + steps: + - name: checkout + uses: actions/checkout@v4 + - name: checkout-pr + env: + GH_TOKEN: ${{ github.token }} + run: | + gh pr checkout ${{ inputs.pr_number }} + - name: download-patch + uses: actions/download-artifact@v4 + with: + name: ${{ env.ARTIFACT }} + - id: apply + run: | + git apply ${{ env.ARTIFACT }} + rm ${{ env.ARTIFACT }} + # example from + # https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token + - name: push + run: | + git config user.name github-actions + git config user.email github-actions@github.com + git add . + git status + if git commit -m "${{ env.COMMIT_MESSAGE }}" + then + git push + else + echo "there is no diff" + fi From 843b2e5d331f099ae7e6d7f75bdf0806ac267be7 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 23 Apr 2024 20:36:03 +0000 Subject: [PATCH 02/15] more docs Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index f05ced427..cc4c15b20 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -1,5 +1,8 @@ # A workflow to run against renovate-bot's PRs, # such as `make package` after it updates the package.json and package-lock.json files. +# The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. +# Then a higher-privilage Job applies the diff and pushes the changes to the PR. +# It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! name: Post-Commit From bfdb9a213afc42d095593c342a039360c1273665 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 23 Apr 2024 20:37:14 +0000 Subject: [PATCH 03/15] typo Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index cc4c15b20..695243d40 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -1,7 +1,7 @@ # A workflow to run against renovate-bot's PRs, # such as `make package` after it updates the package.json and package-lock.json files. # The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. -# Then a higher-privilage Job applies the diff and pushes the changes to the PR. +# Then a higher-privilege Job applies the diff and pushes the changes to the PR. # It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! name: Post-Commit From f5a747d1af65d576e640b85d7327c8bebcb3a3f9 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 23 Apr 2024 20:44:40 +0000 Subject: [PATCH 04/15] no conditional Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index 695243d40..074066e2f 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -90,9 +90,5 @@ jobs: git config user.email github-actions@github.com git add . git status - if git commit -m "${{ env.COMMIT_MESSAGE }}" - then + git commit -m "${{ env.COMMIT_MESSAGE }}" git push - else - echo "there is no diff" - fi From a67cc7092fa5de0c987a87a0e020a25465735939 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 24 Apr 2024 16:24:16 +0000 Subject: [PATCH 05/15] set default permissions: {} Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index 074066e2f..d5fdacdd7 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -6,6 +6,8 @@ name: Post-Commit +permissions: {} + on: workflow_dispatch: inputs: From ae3b59b546d76c130baf28d3c925f005636eae23 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 24 Apr 2024 16:25:08 +0000 Subject: [PATCH 06/15] cleanup Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index d5fdacdd7..ee7b38421 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -21,8 +21,7 @@ env: ( cd ./actions/installer/dist/../ && \ make clean && \ - make package && \ - true + make package ) COMMIT_MESSAGE: "apply post-commit changes" ARTIFACT: changes.patch From 023594f07cd4144611bedd2efa004b5da20c8f6c Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 24 Apr 2024 16:26:56 +0000 Subject: [PATCH 07/15] pin actions Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index ee7b38421..f29df3922 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -55,7 +55,7 @@ jobs: [ -z "$(cat ${{ env.ARTIFACT }})" ] && RESULT=false || RESULT=true echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" - name: upload - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ env.ARTIFACT }} path: ${{ env.ARTIFACT }} @@ -76,7 +76,7 @@ jobs: run: | gh pr checkout ${{ inputs.pr_number }} - name: download-patch - uses: actions/download-artifact@v4 + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ env.ARTIFACT }} - id: apply From 129f707e4175678f1898fc2b03802797a5a0a05f Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 24 Apr 2024 17:12:24 +0000 Subject: [PATCH 08/15] more security notes Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index f29df3922..b2226c974 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -1,9 +1,14 @@ # A workflow to run against renovate-bot's PRs, # such as `make package` after it updates the package.json and package-lock.json files. + # The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. # Then a higher-privilege Job applies the diff and pushes the changes to the PR. # It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! +# There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/ +# At this point a compromised git binary could modify any branch except `main` and `release/*`, due to our branch protection rules and CODEOWNERS. +# It may also be able to submit a release https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview + name: Post-Commit permissions: {} From 5bf1cf7181b35e29016dfd2f00bc106ba93d121b Mon Sep 17 00:00:00 2001 From: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Date: Wed, 24 Apr 2024 14:53:30 -0400 Subject: [PATCH 09/15] update security guidance Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> --- .github/workflows/post-commit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index b2226c974..d766f538f 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -6,8 +6,9 @@ # It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! # There have been vulnerabilities with using `git apply` https://github.blog/2023-04-25-git-security-vulnerabilities-announced-4/ -# At this point a compromised git binary could modify any branch except `main` and `release/*`, due to our branch protection rules and CODEOWNERS. -# It may also be able to submit a release https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview +# At this point a compromised git binary cannot modify any of this repo's branches, only the PR fork's branch, +# due to our branch protection rules and CODEOWNERS. +# It aslso cannot submit a new release or modify exsiting releases due to tag protection rules. name: Post-Commit From dcd2ea772c848c15b6e003279b6228b9a5dd568c Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Wed, 24 Apr 2024 19:03:03 +0000 Subject: [PATCH 10/15] no env variables Signed-off-by: Ramon Petgrave --- .github/workflows/post-commit.yml | 39 +++++++++++++------------------ 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/post-commit.yml index d766f538f..c8d8310ed 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/post-commit.yml @@ -22,16 +22,6 @@ on: required: true type: number -env: - COMMAND: | - ( - cd ./actions/installer/dist/../ && \ - make clean && \ - make package - ) - COMMIT_MESSAGE: "apply post-commit changes" - ARTIFACT: changes.patch - jobs: diff: permissions: @@ -48,23 +38,27 @@ jobs: - name: checkout-pr env: GH_TOKEN: ${{ github.token }} - run: | - gh pr checkout ${{ inputs.pr_number }} + run: gh pr checkout ${{ inputs.pr_number }} - name: run-command - run: ${{ env.COMMAND }} + run: | + ( + cd ./actions/installer/dist/../ && \ + make clean && \ + make package + ) - name: diff id: diff run: | git add . git status - git diff HEAD > ${{ env.ARTIFACT }} - [ -z "$(cat ${{ env.ARTIFACT }})" ] && RESULT=false || RESULT=true + git diff HEAD > changes.patch + [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" - name: upload uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: - name: ${{ env.ARTIFACT }} - path: ${{ env.ARTIFACT }} + name: changes.patch + path: changes.patch push: if: needs.diff.outputs.patch_not_empty == 'true' @@ -79,16 +73,15 @@ jobs: - name: checkout-pr env: GH_TOKEN: ${{ github.token }} - run: | - gh pr checkout ${{ inputs.pr_number }} + run: gh pr checkout ${{ inputs.pr_number }} - name: download-patch uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: - name: ${{ env.ARTIFACT }} + name: changes.patch - id: apply run: | - git apply ${{ env.ARTIFACT }} - rm ${{ env.ARTIFACT }} + git apply changes.patch + rm changes.patch # example from # https://github.com/actions/checkout/blob/cd7d8d697e10461458bc61a30d094dc601a8b017/README.md#push-a-commit-using-the-built-in-token - name: push @@ -97,5 +90,5 @@ jobs: git config user.email github-actions@github.com git add . git status - git commit -m "${{ env.COMMIT_MESSAGE }}" + git commit -m "apply post-commit changes" git push From acd8dcad52f1d675669a3bd93022ca6b709f6a99 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 2 May 2024 16:06:25 +0000 Subject: [PATCH 11/15] change name to be more descriptive Signed-off-by: Ramon Petgrave --- .../{post-commit.yml => update-actions-dist-post-commit.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{post-commit.yml => update-actions-dist-post-commit.yml} (98%) diff --git a/.github/workflows/post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml similarity index 98% rename from .github/workflows/post-commit.yml rename to .github/workflows/update-actions-dist-post-commit.yml index c8d8310ed..185668482 100644 --- a/.github/workflows/post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -10,7 +10,7 @@ # due to our branch protection rules and CODEOWNERS. # It aslso cannot submit a new release or modify exsiting releases due to tag protection rules. -name: Post-Commit +name: Update action dist post-commit permissions: {} From aa09a161c1e7cb3df0fb1c13c382696091aefad0 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 2 May 2024 16:11:44 +0000 Subject: [PATCH 12/15] comment about permissions Signed-off-by: Ramon Petgrave --- .github/workflows/update-actions-dist-post-commit.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml index 185668482..6d9503e4f 100644 --- a/.github/workflows/update-actions-dist-post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -10,7 +10,7 @@ # due to our branch protection rules and CODEOWNERS. # It aslso cannot submit a new release or modify exsiting releases due to tag protection rules. -name: Update action dist post-commit +name: Update actions dist post-commit permissions: {} @@ -25,6 +25,7 @@ on: jobs: diff: permissions: + # This Job executes the PR's untrusted code, so it must how low permissions. pull-requests: read outputs: patch_not_empty: ${{ steps.diff.outputs.patch_not_empty }} @@ -65,6 +66,7 @@ jobs: needs: diff runs-on: ubuntu-latest permissions: + # This Job does not run untrusted code, but it does need to push changes to the PR's branch. pull-requests: read contents: write steps: From 3932f9c71fa883c7c8f0c54d26fe089ba2d40637 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 2 May 2024 16:23:35 +0000 Subject: [PATCH 13/15] add contributing docs Signed-off-by: Ramon Petgrave --- docs/CONTRIBUTING.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/CONTRIBUTING.md diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md new file mode 100644 index 000000000..f66b4146d --- /dev/null +++ b/docs/CONTRIBUTING.md @@ -0,0 +1,21 @@ +# Contributing + +## Updating Github Actions Dependencies + +### Renovate-Bot PRs + +`renovate-bot` will periodically send PRs to update the `package.json` and `package-lock.json` in the Github Actions of this repo. +But, it will not also automatically recompile the packages into `.js` files. + +We use a Workflow [Update actions dist post-commit](../.github/workflows/update-actions-dist-post-commit.yml) to +help maintainers easily recompile the Github Actions against a PR. + +Use the UI to invoke the workflow + +[update-actions-dist-post-commit.yml](https://github.com/slsa-framework/slsa-verifier/actions/workflows/update-actions-dist-post-commit.yml) + +or invoke with + +```shell +gh workflow run update-actions-dist-post-commit.yml -F pr_number= +``` \ No newline at end of file From d62741010a2ec196eda6d67f4505661619932241 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Date: Mon, 6 May 2024 11:46:15 -0400 Subject: [PATCH 14/15] change commit message Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> --- .github/workflows/update-actions-dist-post-commit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml index 6d9503e4f..b721606cb 100644 --- a/.github/workflows/update-actions-dist-post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -92,5 +92,5 @@ jobs: git config user.email github-actions@github.com git add . git status - git commit -m "apply post-commit changes" + git commit -m "update actions dist" git push From 076fb7428235a9e95f5d3a48f7b9ddbbfc429cb4 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Date: Mon, 6 May 2024 15:58:03 -0400 Subject: [PATCH 15/15] pin actions/checkout Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> --- .github/workflows/update-actions-dist-post-commit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml index b721606cb..3edbf2a9d 100644 --- a/.github/workflows/update-actions-dist-post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: ${{ github.repository }} persist-credentials: false @@ -71,7 +71,7 @@ jobs: contents: write steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: checkout-pr env: GH_TOKEN: ${{ github.token }}