From fe84eda0f5da0ac19044516862987413eb5039fb Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Wed, 20 Mar 2024 21:59:45 +0100 Subject: [PATCH] Continuously validate ghasum checksums at the job level Remove the GitHub Actions workflow that continuously validates the ghasum checksums for all Actions in this project in favor of a per-job step that validates the ghasum checksums for that job only. This reduces makes jobs self-validating, which prevents potentially compromised jobs from executing while allowing other jobs to keep running. The implementation leverages GitHub Actions context values to determine what job to validate, resulting in an identical step in all jobs. This makes it a good proof of concept for a ghasum action that can be used in any job. This commit is a followup to <2effc08890ff0aaa80d46a390489693b3c3deddc>. --- .github/workflows/audit.yml | 7 ++++++ .github/workflows/check.yml | 42 +++++++++++++++++++++++++++++++++++ .github/workflows/codeql.yml | 7 ++++++ .github/workflows/ghasum.yml | 22 ------------------ .github/workflows/publish.yml | 7 ++++++ .github/workflows/semgrep.yml | 11 +++++++++ 6 files changed, 74 insertions(+), 22 deletions(-) delete mode 100644 .github/workflows/ghasum.yml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index cfd61f1..ece4964 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -26,5 +26,12 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Audit run: go run tasks.go audit diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 5cc9468..0d3b3f1 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -18,6 +18,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Build binary run: go run tasks.go build dogfeed: @@ -32,6 +39,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Uninitialize ghasum run: rm -f .github/workflows/gha.sum - name: Run on this repository @@ -50,6 +64,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Check source code formatting run: go run tasks.go format-check reproducible: @@ -64,6 +85,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Check reproducibility run: go run tasks.go reproducible test: @@ -78,6 +106,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Run tests run: go run tasks.go coverage vet: @@ -92,5 +127,12 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Vet source code run: go run tasks.go vet diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d2711d8..d84d927 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,6 +20,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Initialize CodeQL uses: github/codeql-action/init@v3.24.7 with: diff --git a/.github/workflows/ghasum.yml b/.github/workflows/ghasum.yml deleted file mode 100644 index 09aeb04..0000000 --- a/.github/workflows/ghasum.yml +++ /dev/null @@ -1,22 +0,0 @@ -name: ghasum -on: - pull_request: ~ - push: - branches: - - main - -permissions: read-all - -jobs: - verify: - name: Verify - runs-on: ubuntu-22.04 - steps: - - name: Checkout repository - uses: actions/checkout@v4.1.2 - - name: Install Go - uses: actions/setup-go@v5.0.0 - with: - go-version-file: go.mod - - name: Verify checksums - run: go run ./cmd/ghasum verify -cache /home/runner/work/_actions diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9f435a4..a30119d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -19,6 +19,13 @@ jobs: uses: actions/setup-go@v5.0.0 with: go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Get release version id: version shell: bash diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c0e8e19..b546ac3 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -17,6 +17,17 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4.1.2 + - name: Install Go + uses: actions/setup-go@v5.0.0 + with: + go-version-file: go.mod + - name: Verify action checksums + env: + JOB: ${{ github.job }} + WORKFLOW: ${{ github.workflow_ref }} + run: | + WORKFLOW=$(echo "$WORKFLOW" | cut -d '@' -f 1 | cut -d '/' -f 3-5) + go run ./cmd/ghasum verify -cache /home/runner/work/_actions "$WORKFLOW:$JOB" - name: Perform Semgrep analysis run: semgrep ci --sarif --output semgrep.sarif env: