Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security improvements to GitHub Actions #17520

Merged
merged 10 commits into from
Jan 15, 2025
Merged

Security improvements to GitHub Actions #17520

merged 10 commits into from
Jan 15, 2025

Conversation

frouioui
Copy link
Member

@frouioui frouioui commented Jan 14, 2025
edited
Loading

Description

In this PR the Assign Milestone and Release GitHub actions were modified into to harden our GitHub Actions usage. The changes brought to these two workflows are made to avoid and limit potential pwn requests and cache poisoning attacks.

In addition to these two files, I have bumped the version of actions/checkout and made sure to disable persist-credentials where it was not needed.

Let's backport / do something similar on all release branches.

Assign Milestone

This workflow uses the pull_request_target trigger, meaning that the workflow is executed in the context of the PR's base commit, which can quickly become problematic if not handled correctly. I made the workflow a bit tighter by removing the setup-go step (which uses caching by default), limiting the permissions, by adding a sanity check on the ./go/vt/servenv/version.go file that we read, and most importantly by not checking out the PR's HEAD but rather the base's HEAD.

Release

I have added a verification of fpm's checksum and disabled caching for the setup-go step. Disabling the cache in that workflow is a SLSA level 3 requirement:

SLSA 3 provides much stronger protections against tampering than earlier levels by preventing specific classes of threats, such as cross-build contamination.

This workflow was tested here: https://github.com/frouioui/vitess/actions/runs/12776723633/job/35616102340

@frouioui
Modify Assign Milestone workflow
1ced63d 
Signed-off-by: Florent Poinsard <[email protected]>
@frouioui
Add comments
0648109 
Signed-off-by: Florent Poinsard <[email protected]>
@frouioui
Harden the create_release.yml workflow
25709a3 
Signed-off-by: Florent Poinsard <[email protected]>
@frouioui
Modify the docker_build_images.yml workflow
2b7a29b 
Signed-off-by: Florent Poinsard <[email protected]>
@frouioui
Disable persist-credentials where possible
4efecdf 
Signed-off-by: Florent Poinsard <[email protected]>
@vitess-bot vitess-bot
Copy link
Contributor

vitess-bot bot commented Jan 14, 2025

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

  • Ensure that the Pull Request has a descriptive title.
  • Ensure there is a link to an issue (except for internal cleanup and flaky test fixes), new features should have an RFC that documents use cases and test cases.

Tests

  • Bug fixes should have at least one unit or end-to-end test, enhancement and new features should have a sufficient number of tests.

Documentation

  • Apply the release notes (needs details) label if users need to know about this change.
  • New features should be documented.
  • There should be some code comments as to why things are implemented the way they are.
  • There should be a comment at the top of each new or modified test to explain what the test does.

New flags

  • Is this flag really necessary?
  • Flag names must be clear and intuitive, use dashes (-), and have a clear help text.

If a workflow is added or modified:

  • Each item in Jobs should be named in order to mark it as required.
  • If the workflow needs to be marked as required, the maintainer team must be notified.

Backward compatibility

  • Protobuf changes should be wire-compatible.
  • Changes to _vt tables and RPCs need to be backward compatible.
  • RPC changes should be compatible with vitess-operator
  • If a flag is removed, then it should also be removed from vitess-operator and arewefastyet, if used there.
  • vtctl command output order should be stable and awk-able.

@vitess-bot vitess-bot bot added NeedsBackportReason If backport labels have been applied to a PR, a justification is required NeedsDescriptionUpdate The description is not clear or comprehensive enough, and needs work NeedsIssue A linked issue is missing for this Pull Request NeedsWebsiteDocsUpdate What it says labels Jan 14, 2025
@github-actions github-actions bot added this to the v22.0.0 milestone Jan 14, 2025
@frouioui frouioui added Type: Internal Cleanup Component: Build/CI Backport to: release-19.0 Needs to be back ported to release-19.0 Backport to: release-20.0 Needs to be backport to release-20.0 Backport to: release-21.0 Needs to be backport to release-21.0 and removed NeedsDescriptionUpdate The description is not clear or comprehensive enough, and needs work NeedsWebsiteDocsUpdate What it says NeedsIssue A linked issue is missing for this Pull Request NeedsBackportReason If backport labels have been applied to a PR, a justification is required labels Jan 14, 2025
@frouioui
Make sure to download fpm deps
7f5859f 
Signed-off-by: Florent Poinsard <[email protected]>
@codecov Codecov
Copy link

codecov bot commented Jan 14, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.71%. Comparing base (a9d6969) to head (890c2a8).
Report is 8 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #17520      +/-   ##
==========================================
+ Coverage   67.69%   67.71%   +0.01%     
==========================================
  Files        1584     1584              
  Lines      254541   254509      -32     
==========================================
+ Hits       172315   172340      +25     
+ Misses      82226    82169      -57

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@frouioui frouioui marked this pull request as ready for review January 14, 2025 22:15
@frouioui
Fix templates
a413663 
Signed-off-by: Florent Poinsard <[email protected]>
mattlord
mattlord approved these changes Jan 14, 2025
View reviewed changes
Copy link
Contributor

@mattlord mattlord left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @frouioui !

.github/workflows/create_release.yml Outdated Show resolved Hide resolved
@frouioui
Add timeout to upgrade/downgrade jobs
fdf42a3 
Signed-off-by: Florent Poinsard <[email protected]>
@frouioui
Apply review suggestion
890c2a8 
Signed-off-by: Florent Poinsard <[email protected]>
rohit-nayak-ps
rohit-nayak-ps reviewed Jan 15, 2025
View reviewed changes
test/templates/cluster_endtoend_test.tpl
@@ -13,6 +13,7 @@ env:

jobs:
build:
timeout-minutes: 60
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏽

rohit-nayak-ps
rohit-nayak-ps approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@rohit-nayak-ps rohit-nayak-ps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

@frouioui frouioui merged commit cbf146b into vitessio:main Jan 15, 2025
106 checks passed
@frouioui frouioui deleted the harden-github-action-workflows branch January 15, 2025 14:02
This was referenced Jan 15, 2025
Merged
Merged
Merged
frouioui added a commit that referenced this pull request Jan 15, 2025
@frouioui
Security improvements to GitHub Actions (#17520)
28ec281 
Signed-off-by: Florent Poinsard <[email protected]>
frouioui added a commit that referenced this pull request Jan 15, 2025
@frouioui
Security improvements to GitHub Actions (#17520)
4719d26 
Signed-off-by: Florent Poinsard <[email protected]>
frouioui added a commit that referenced this pull request Jan 15, 2025
@frouioui
Security improvements to GitHub Actions (#17520)
fdc65a4 
Signed-off-by: Florent Poinsard <[email protected]>
frouioui added a commit that referenced this pull request Jan 16, 2025
@vitess-bot @frouioui
[release-20.0] Security improvements to GitHub Actions (#17520) (#17530)
d9fed2f 
Signed-off-by: Florent Poinsard <[email protected]>
Co-authored-by: Florent Poinsard <[email protected]>
frouioui added a commit that referenced this pull request Jan 16, 2025
@vitess-bot @frouioui
[release-19.0] Security improvements to GitHub Actions (#17520) (#17528)
a46b92d 
Signed-off-by: Florent Poinsard <[email protected]>
Co-authored-by: Florent Poinsard <[email protected]>
frouioui added a commit that referenced this pull request Jan 16, 2025
@vitess-bot @frouioui
[release-21.0] Security improvements to GitHub Actions (#17520) (#17531)
dda98cd 
Signed-off-by: Florent Poinsard <[email protected]>
Co-authored-by: Florent Poinsard <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohit-nayak-ps rohit-nayak-ps rohit-nayak-ps approved these changes

@mattlord mattlord mattlord approved these changes

@deepthi deepthi Awaiting requested review from deepthi deepthi is a code owner

@GuptaManan100 GuptaManan100 Awaiting requested review from GuptaManan100 GuptaManan100 is a code owner

@harshit-gangal harshit-gangal Awaiting requested review from harshit-gangal harshit-gangal is a code owner

Assignees
No one assigned
Labels
Backport to: release-19.0 Needs to be back ported to release-19.0 Backport to: release-20.0 Needs to be backport to release-20.0 Backport to: release-21.0 Needs to be backport to release-21.0 Component: Build/CI Type: Internal Cleanup
Projects
None yet
Milestone
v22.0.0
Development

Successfully merging this pull request may close these issues.
3 participants
@frouioui @mattlord @rohit-nayak-ps