Skip to content

Commit

Permalink
Run token-based CI in a secure way.
Browse files Browse the repository at this point in the history
This protects our token secrets from PR attackers. Exposing github secure tokens
as part of random PR build system is a security risk:
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Instead, we should export the relevant PR information and then run the workflow
which has our tokens.

Should fix #226.
  • Loading branch information
vgvassilev committed Apr 28, 2021
1 parent 4851107 commit 4da9693
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 10 deletions.
21 changes: 11 additions & 10 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,6 @@ jobs:
compiler: gcc-6
clang-runtime: '11'
coverage: true
clang-format: true

- name: ubu18-gcc8-runtime11
os: ubuntu-18.04
Expand Down Expand Up @@ -300,6 +299,17 @@ jobs:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Save PR Info
if: ${{ matrix.coverage == true }}
run: |
mkdir -p ./pr
echo ${{ github.event.number }} > ./pr/NR
echo ${{ github.repository }} > ./pr/REPO
- uses: actions/upload-artifact@v2
if: ${{ matrix.coverage == true }}
with:
name: pr
path: pr/
- uses: nelonoel/[email protected]
- name: Setup default Build Type
run: |
Expand Down Expand Up @@ -566,15 +576,6 @@ jobs:
python3 -m pip show lit
cat obj/CMakeCache.txt
cat obj/CMakeFiles/*.log
- name: Invoke workflow clang-format on compiler-research
if: ${{ success() && (matrix.clang-format == true) }}
uses: benc-uk/workflow-dispatch@v1
with:
workflow: SuggestFormattingChanges
repo: compiler-research/knowall
token: ${{ secrets.PERSONAL_TOKEN }}
ref: main # The SuggestFormattingChanges branch
inputs: '{ "repo": "${{ github.repository }}", "pull_id": "${{ github.event.number }}" }'
- name: Setup tmate session
if: ${{ failure() }}
uses: mxschmitt/action-tmate@v3
Expand Down
56 changes: 56 additions & 0 deletions .github/workflows/postci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: PostMain
on:
workflow_run:
workflows: [Main]
types: [completed]

jobs:
knowall:
runs-on: ubuntu-latest
if: >
${{ github.event.workflow_run.event == 'pull_request'}}
steps:
- name: 'Download artifact'
uses: actions/[email protected]
with:
script: |
var artifacts = await github.actions.listWorkflowRunArtifacts({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: ${{github.event.workflow_run.id }},
});
var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
return artifact.name == "pr"
})[0];
var download = await github.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
artifact_id: matchArtifact.id,
archive_format: 'zip',
});
var fs = require('fs');
fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
- run: |
unzip pr.zip
cat ./NR
cat ./REPO
echo "PR_NUMBER=`cat ./NR`" >> $GITHUB_ENV
echo "PR_REPO=`cat ./REPO`" >> $GITHUB_ENV
- uses: actions/checkout@v2
with:
fetch-depth: 0

- name: Invoke workflow clang-format on compiler-research
uses: benc-uk/workflow-dispatch@v1
with:
workflow: SuggestFormattingChanges
repo: compiler-research/knowall
token: ${{ secrets.PERSONAL_TOKEN }}
ref: main # The SuggestFormattingChanges branch
inputs: '{ "repo": "$PR_REPO", "pull_id": "$PR_NUMBER" }'

- name: Failed job config
if: ${{ failure() }}
run: |
export

0 comments on commit 4da9693

Please sign in to comment.