-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🐛 fix dangerous workflow test and workflow parsing #1283
Conversation
Signed-off-by: Asra Ali <[email protected]>
Fixes #1257 (comment) dangerous workfow check on systemd btw @evverx |
Still planning on moving to the other parser, just figured i'd fix this bug while it's here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I can confirm that the issue is gone. Thanks! |
@azeemshaikh38 is there a known issue with the e2e token? |
Looks like an issue. I will turn off the check required we will get this merged and I will send out a PR for that. |
Let's not turn off e2e tests to merge PRs please. What is the issue with the token exactly? Can we fix that first before we merge this in? |
I don't know. I would have to investigate. I can turn it back on. |
Looks like a common issue:
The workaround is very complicated AFAICT. How about we remove the |
Yes, do turn it back on. Thanks Naveen! |
If it's similar to the "labeler" action it could probably be fixed by simply switching to "pull_request_target" instead of "pull_request". As far as I can see, judging by https://github.com/peter-evans/create-or-update-comment#action-inputs
That would certainly be a dangerous workflow though given that there is a checkout somewhere :-) Another option would be to switch to
It's an interesting coincidence that the PR related to dangerous workflows triggered an issue related to dangerous workflows :-) |
Thanks @evverx very helpful as always :) I'm thinking of removing the @asraa could you comment out this step in your PR and see if that unblocks you from submitting - https://github.com/ossf/scorecard/blob/main/.github/workflows/integration.yml#L100 |
Signed-off-by: Asra Ali <[email protected]>
Looks its still failing on missing the auth token this when it tries to check-env, despite being set here, I think.
|
Argh! This is frustrating - https://docs.github.com/en/actions/security-guides/encrypted-secrets. Will look into it. If I can't resolve this by tomo will force submit this PR myself. |
Ok, so this is my understanding so far based on https://securitylab.github.com/research/github-actions-preventing-pwn-requests/:
@asraa @laurentsimon @naveensrinivasan for any feedback to ensure I'm not missing anything here. Will be sending out a PR to fix this, can also discuss over there. |
related note: @asraa looks like to remove false positive for dangerous workflows check in this case, we need to check the permissions set in the repo (pull_request_target + ref + permissions set seems fine). Let's create a tracking issue. Once we merge Token-Permissions into Dangerous workflows, it will make it easier to implement. |
created issue #1311 to track. |
Integration tests success for |
Ok, looks like the protected environment is working. Phew! |
Yes!! Thanks |
Signed-off-by: Asra Ali [email protected]
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Fixes unit test for dangerous workflow
Fixes small issue with workflow parsing the trigger.
What is the current behavior? (You can also link to an open issue here)
What is the new behavior (if this is a feature change)?
dangerous workflow check succeeds for system/systemd where before it wouldn't recognize a list of event triggers (seems to parse as
[]interface{}
rather than[]string
)https://github.com/systemd/systemd/blob/2ec0c4f94de7091c2f4fdf76742bb793d64de781/.github/workflows/labeler.yml#L7-L8
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
Other information: