Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure Trusted Code Checkout in GitHub Actions Workflow #7034

Merged
merged 2 commits into from
Sep 16, 2024

Conversation

UlisesGascon
Copy link
Member

Description

This pull request addresses a potential security issue in our GitHub Actions workflow by ensuring that the code being checked out is from a trusted source. The changes include:

Conditional Ref Checkout:

  • Modified the Git Checkout step to conditionally use the pull request commit SHA (github.event.pull_request.head.sha) only if the event is a pull request.
  • For other events, it defaults to using github.ref.

Validation

No local validation was done. This is related to the OSSF Scorecard

Related Issues

See: #6979

Check List

  • I have read the Contributing Guidelines and made commit messages that follow the guideline.
  • I have run npm run format to ensure the code follows the style guide.
  • I have run npm run test to check if all tests are passing.
  • I have run npx turbo build to check if the website builds without errors.
  • I've covered new added functionality with unit tests if necessary.

@UlisesGascon UlisesGascon requested a review from a team as a code owner September 10, 2024 17:45
Copy link

vercel bot commented Sep 10, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
nodejs-org ✅ Ready (Inspect) Visit Preview Sep 16, 2024 7:55am

@UlisesGascon UlisesGascon changed the title GitHub Copilot Pull Request Description Title Ensure Trusted Code Checkout in GitHub Actions Workflow Ensure Trusted Code Checkout in GitHub Actions Workflow Sep 10, 2024
@UlisesGascon UlisesGascon mentioned this pull request Sep 10, 2024
5 tasks
.github/workflows/build.yml Outdated Show resolved Hide resolved
.github/workflows/lighthouse.yml Outdated Show resolved Hide resolved
.github/workflows/lint-and-tests.yml Outdated Show resolved Hide resolved
.github/workflows/lint-and-tests.yml Outdated Show resolved Hide resolved
.github/workflows/translations-pr.yml Outdated Show resolved Hide resolved
@ovflowd
Copy link
Member

ovflowd commented Sep 13, 2024

@UlisesGascon waiting for you to address the code review changes :)

@RedYetiDev
Copy link
Member

For what it's worth, I don't see any security risks with the current setup. If the PR SHA is available, it will be used; otherwise, github.ref (which points to the main branch in this case) will be utilized.

The PR SHA can be trusted in this case, as it points to the SHA at the event triggering the workflow execute, meaning that there is no possibility for a race-condition.

@ovflowd
Copy link
Member

ovflowd commented Sep 13, 2024

For what it's worth, I don't see any security risks with the current setup. If the PR SHA is available, it will be used; otherwise, github.ref (which points to the main branch in this case) will be utilized.

The PR SHA can be trusted in this case, as it points to the SHA at the event triggering the workflow execute, meaning that there is no possibility for a race-condition.

I agree here; the Github object is reserved; although you can trigger GitHub Actions with custom WebHook payloads, we don't have any configured here. And if that ever happened, this change would be ineffective regardless.

I'm neutral to the change, but I don't believe it is needed.

@UlisesGascon
Copy link
Member Author

For what it's worth, I don't see any security risks with the current setup.

+1 I just want to see if we can remove the warnings from the scorecard 🫤

@ovflowd
Copy link
Member

ovflowd commented Sep 16, 2024

For what it's worth, I don't see any security risks with the current setup.

+1 I just want to see if we can remove the warnings from the scorecard 🫤

I am starting to question the real value of the scorecard if it is dumb enough to not recognise false positives.

Copy link
Member

@ovflowd ovflowd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM -- for the sake of our scorecard 🤷

Copy link

github-actions bot commented Sep 16, 2024

Lighthouse Results

URL Performance Accessibility Best Practices SEO Report
/en 🟢 98 🟢 100 🟢 100 🟢 91 🔗
/en/about 🟢 100 🟢 100 🟢 100 🟢 91 🔗
/en/about/previous-releases 🟢 98 🟢 100 🟢 100 🟢 92 🔗
/en/download 🟢 100 🟢 100 🟢 100 🟢 91 🔗
/en/blog 🟢 100 🟢 100 🟢 100 🟢 92 🔗

Copy link

Unit Test Coverage Report

Lines Statements Branches Functions
Coverage: 92%
90.54% (594/656) 76.29% (177/232) 94.57% (122/129)

Unit Test Report

Tests Skipped Failures Errors Time
131 0 💤 0 ❌ 0 🔥 5.228s ⏱️

@ovflowd ovflowd added this pull request to the merge queue Sep 16, 2024
Merged via the queue into nodejs:main with commit ae06243 Sep 16, 2024
15 checks passed
joeeames pushed a commit to joeeames/nodejs.org that referenced this pull request Sep 24, 2024
* feat: Ensure Trusted Code Checkout in GitHub Actions Workflow

* fix: update GitHub event name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants