releasing: publish to flakehub #7328
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - uses: "actions/checkout@v4" | ||
| with: | ||
| ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" |
Check warning
Code scanning / zizmor
credential persistence through GitHub Actions artifacts Warning
| - uses: "actions/checkout@v4" | ||
| with: | ||
| ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" | ||
| - uses: "DeterminateSystems/determinate-nix-action@v3" |
Check failure
Code scanning / zizmor
unpinned action reference Error
| with: | ||
| ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" | ||
| - uses: "DeterminateSystems/determinate-nix-action@v3" | ||
| - uses: "DeterminateSystems/flakehub-push@main" |
Check failure
Code scanning / zizmor
unpinned action reference Error
There was a problem hiding this comment.
| - uses: "DeterminateSystems/flakehub-push@main" | |
| - uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 |
| flakehub-publish: | ||
| runs-on: "ubuntu-latest" | ||
| permissions: | ||
| id-token: "write" |
There was a problem hiding this comment.
I wonder what this is...
There was a problem hiding this comment.
It allows GHA actions to request a JWT token on behalf of your repository. It's how flakehub-push authenticates with FlakeHub, instead of static tokens. Recently, crates.io started supporting doing the same thing: https://crates.io/docs/trusted-publishing
There was a problem hiding this comment.
I was guessing this is authorization-related, but I worry that I don't understand where the secret is coming from and what has access to it.
I think the link to https://flakehub.com/user/settings?editview=organizations explains it. It results in requesting these permissions:
I haven't hit that button yet. I could try it, not sure if Google org's policies will allow it, but since I got to that screen -- probably?
But at least now it's clear to me what part of this process you need a maintainer for.
Cc: @aesipp, you might be a better person to think about this.
There was a problem hiding this comment.
I totally understand. Just for general notes:
The JWT is created by Github's infrastructure: https://docs.github.com/en/actions/concepts/security/openid-connect
Any software that runs during this workflow is able to request one during the run. Since it is a JWT, it is passed to FlakeHub's backend for authentication. The token that flakehub-push requests has its audience to https://api.flakehub.com:
- https://github.com/DeterminateSystems/flakehub-push/blob/284fbdee6cdba4d3386262ddf41486e512e59318/src/cli/mod.rs#L15-L20
- https://github.com/DeterminateSystems/flakehub-push/blob/284fbdee6cdba4d3386262ddf41486e512e59318/src/github/mod.rs#L62
fwiw the token doesn't grant any special powers within GitHub services, only services that have setup a trust relationship on their end.
I'm also happy to discuss/work with @thoughtpolice on it :) thanks!
There was a problem hiding this comment.
I don't imagine it's an immediate problem. It's just that we need to keep in mind that we are taking care of this token now, and have to be careful so that Bad Guys (tm) don't get a hold of it and publish Evil Stuff (tm) to Flakehub.
For this reason, I mildly prefer our current manual way of publishing to crates.io. Now that I think of it, perhaps it'd then be consistent to either publish to Flakehub manually, or not to do it, or to decide to automate the publishing to crates.io after all (as @thoughtpolice once wanted to do).
There was a problem hiding this comment.
Right. There is no long-term token, so it'd have to be some bad-guy actor that abuses it during an actual execution of this workflow. It is possible, but mitigated in terms of access and duration. I understand the concern, though.
Unfortunately, we don't actually support publishing to FlakeHub manually right now. Only authenticated GitHub Actions / GitLab / a few other platforms are trusted for publishing. This is largely striving towards achieving greater SLSA levels.
| - uses: "actions/checkout@v4" | ||
| with: |
There was a problem hiding this comment.
| - uses: "actions/checkout@v4" | |
| with: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| persist-credentials: false |
| - uses: "actions/checkout@v4" | ||
| with: | ||
| ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" | ||
| - uses: "DeterminateSystems/determinate-nix-action@v3" |
There was a problem hiding this comment.
| - uses: "DeterminateSystems/determinate-nix-action@v3" | |
| - uses: DeterminateSystems/determinate-nix-action@b7303d63f88908d15f0bcb207e60b3a0ea7f1712 |
| with: | ||
| ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" | ||
| - uses: "DeterminateSystems/determinate-nix-action@v3" | ||
| - uses: "DeterminateSystems/flakehub-push@main" |
There was a problem hiding this comment.
| - uses: "DeterminateSystems/flakehub-push@main" | |
| - uses: DeterminateSystems/flakehub-push@71f57208810a5d299fc6545350981de98fdbc860 |
| steps: | ||
| - uses: "actions/checkout@v4" | ||
| with: | ||
| ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}" |
There was a problem hiding this comment.
@grahamc , I don't know whether you can see it, but some security scan (maybe running zizmor with other settings) is unhappy with this line. It's a warning (not an error) that says:
artipacked: credential persistence through GitHub Actions artifacts
I haven't looked at what it means, nor whether it's inherent to what the action is doing or could be easily worked around by changing the action a little bit (in which case, you should probably change it for everybody).
There was a problem hiding this comment.
Yeah, I saw that, thanks. That issue is because the template didn't specify persist-credentials: false (fixed: #7328 (comment)). I opened up a ticket internally to fix the wizard 👍
There was a problem hiding this comment.
Update: The wizard has been fixed, thanks for flagging it: https://flakehub.com/new
By request of @grahamc.
I went through the steps (https://flakehub.com/new), but I'm not sure what the result of turning on this action will be (Update: and zizmor is unhappy about it).
(To be clear, IMO we should absolutely not merge this until one of us actually understands what's happening inside this action and feels they can maintain it)
We'd have to find out whether it works during the next release. For example, I had to sign in to Flakehub to generate this file, but I see nothing in it that associates me to it.
Discord discussion
TODO: Commit description if we're moving forward.
Checklist
If applicable:
CHANGELOG.mdREADME.md,docs/,demos/)cli/src/config-schema.json)