From e0af0aea12f2e8ae4580fc2c43801abc509b6f1d Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Tue, 17 Dec 2024 15:47:11 -0800 Subject: [PATCH] ci: Do not persist credentials after checkout See https://github.com/actions/checkout/issues/485 and https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/ In short, it is a terrible idea to persist even our default credentials after checkout. There's no call for that, so we will now set `persist-credentials: false` on all checkout actions. The only exceptions are for the release job, which wants to push a tag and create a branch, each of which explicitly persist credentials now and explains why in a comment. --- .github/workflows/build-and-test.yaml | 3 +++ .github/workflows/demo-version-index.yaml | 1 + .github/workflows/release-please.yaml | 7 +++++++ .github/workflows/report-incremental-coverage.yaml | 2 ++ .github/workflows/selenium-lab-tests.yaml | 3 +++ .github/workflows/talk-to-shaka-bot.yaml | 2 ++ .github/workflows/update-screenshots.yaml | 3 +++ 7 files changed, 21 insertions(+) diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml index a75407ef4f..b740c257b0 100644 --- a/.github/workflows/build-and-test.yaml +++ b/.github/workflows/build-and-test.yaml @@ -31,6 +31,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.ref || github.ref }} + persist-credentials: false - name: Lint run: python build/check.py @@ -104,6 +105,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.ref || github.ref }} + persist-credentials: false # Older versions of Safari can be installed, but not to the root, and it # can't replace the standard version, at least not on GitHub's VMs. If @@ -256,6 +258,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ inputs.ref || github.ref }} + persist-credentials: false - name: Docker run: | diff --git a/.github/workflows/demo-version-index.yaml b/.github/workflows/demo-version-index.yaml index 699606334c..399c246b17 100644 --- a/.github/workflows/demo-version-index.yaml +++ b/.github/workflows/demo-version-index.yaml @@ -30,6 +30,7 @@ jobs: with: # We need a list of all tags for this, so fetch the entire history. fetch-depth: 0 + persist-credentials: false - uses: google-github-actions/auth@v2 with: diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index 0f1495b26c..bc35c165a2 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -40,6 +40,10 @@ jobs: ref: main # Use a special shaka-bot access token for releases. token: ${{ secrets.RELEASE_PLEASE_TOKEN }} + # We want to explicitly use these credentials to push a tag. + # The job is only one more step, so they don't leak. + persist-credentials: true + - name: Tag the main branch run: | # Set missing git config for the tag. @@ -189,6 +193,9 @@ jobs: fetch-depth: 0 # Use a special shaka-bot access token for releases. token: ${{ secrets.RELEASE_PLEASE_TOKEN }} + # We want to explicitly use these credentials to create the branch. + # The job is only one more step, so they don't leak. + persist-credentials: true - name: Create release branch run: | diff --git a/.github/workflows/report-incremental-coverage.yaml b/.github/workflows/report-incremental-coverage.yaml index 27618fe335..86c157967f 100644 --- a/.github/workflows/report-incremental-coverage.yaml +++ b/.github/workflows/report-incremental-coverage.yaml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Compute incremental code coverage id: compute diff --git a/.github/workflows/selenium-lab-tests.yaml b/.github/workflows/selenium-lab-tests.yaml index 5ffc9aff6c..bda7baf551 100644 --- a/.github/workflows/selenium-lab-tests.yaml +++ b/.github/workflows/selenium-lab-tests.yaml @@ -84,6 +84,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false - name: Install dependencies run: npm ci @@ -154,6 +155,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false - name: Set commit status to pending if: ${{ inputs.skip_test_status == false }} @@ -235,6 +237,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false - name: Set commit status to pending if: ${{ inputs.skip_commit_status == false }} diff --git a/.github/workflows/talk-to-shaka-bot.yaml b/.github/workflows/talk-to-shaka-bot.yaml index 3a90e775e7..12cca0bb6f 100644 --- a/.github/workflows/talk-to-shaka-bot.yaml +++ b/.github/workflows/talk-to-shaka-bot.yaml @@ -24,6 +24,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + persist-credentials: false - name: Handle command shell: bash diff --git a/.github/workflows/update-screenshots.yaml b/.github/workflows/update-screenshots.yaml index 28848ad991..82ffeb3452 100644 --- a/.github/workflows/update-screenshots.yaml +++ b/.github/workflows/update-screenshots.yaml @@ -33,6 +33,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false - name: Set commit status to pending uses: shaka-project/shaka-github-tools/set-commit-status@main @@ -61,6 +62,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false - name: Get artifacts uses: actions/download-artifact@v4 @@ -114,6 +116,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.compute-sha.outputs.SHA }} + persist-credentials: false - name: Compute final status id: compute