CI: Hashpin sensitive workflow dependencies and install dependabot to update them #75620
Labels
Comments
boomanaiden154
pushed a commit
that referenced
this issue
Jan 15, 2024
…m automatically (#75859) Closes #75620 As I mentioned on the issue, this PR aims to hash-pin the CI dependencies used on sensitive context -- i.e., they either are called with write permissions, or are being used to build critical artifacts like a release. In summary, this PR brings 3 changes: 1. Hash pin GitHub Actions called on sensitive context 2. Hash pin python dependencies used on sensitive context 3. Configure dependabot to automatically update those hashes I'm further explaining the steps bellow. The dependencies in format of GitHub Actions, I simply hash-pinned them. I also made sure to keep the human-readable version as comments at the same line. At the [release-tasks.yml](https://github.com/llvm/llvm-project/blob/main/.github/workflows/release-tasks.yml) file, I've changed the installation method of some python dependencies to install them considering their hashpinning. That required the generation of a requirements file that had all the correct hashes, and for that I used [pip-tools](https://pypi.org/project/pip-tools/2.0.0/). While configuring dependabot, I set it to send a monthly PR updating all the GitHub Actions, and a weekly PR to update any python dependency required by [/llvm/docs/requirements.txt](https://github.com/llvm/llvm-project/blob/main/llvm/docs/requirements.txt). Let me know if you have any questions or concerns, I'd be happy to clarify and help. Thanks! --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
justinfargnoli
pushed a commit
to justinfargnoli/llvm-project
that referenced
this issue
Jan 28, 2024
…m automatically (llvm#75859) Closes llvm#75620 As I mentioned on the issue, this PR aims to hash-pin the CI dependencies used on sensitive context -- i.e., they either are called with write permissions, or are being used to build critical artifacts like a release. In summary, this PR brings 3 changes: 1. Hash pin GitHub Actions called on sensitive context 2. Hash pin python dependencies used on sensitive context 3. Configure dependabot to automatically update those hashes I'm further explaining the steps bellow. The dependencies in format of GitHub Actions, I simply hash-pinned them. I also made sure to keep the human-readable version as comments at the same line. At the [release-tasks.yml](https://github.com/llvm/llvm-project/blob/main/.github/workflows/release-tasks.yml) file, I've changed the installation method of some python dependencies to install them considering their hashpinning. That required the generation of a requirements file that had all the correct hashes, and for that I used [pip-tools](https://pypi.org/project/pip-tools/2.0.0/). While configuring dependabot, I set it to send a monthly PR updating all the GitHub Actions, and a weekly PR to update any python dependency required by [/llvm/docs/requirements.txt](https://github.com/llvm/llvm-project/blob/main/llvm/docs/requirements.txt). Let me know if you have any questions or concerns, I'd be happy to clarify and help. Thanks! --------- Signed-off-by: Diogo Teles Sant'Anna <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I'm Diogo and I'm back (see #69736). At the issue #69736 I suggested you to set minimal permissions to your workflows. Now I'm coming back to suggest a modification that would provide extra safety for the workflows that yet require dangerous permissions (e.g., contents: write).
Problem
Your workflows release-binaries.yml and release-tasks.yml are using dangerous permissions while running external dependencies pinned only by tag. Both are using external unpinned GitHub Actions, and the release-tasks.yml is also installing unhashed Python dependencies (see https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode). Those patterns could be dangerous because if any of those actions get hijacked (and at the end they're all repositories and are susceptible to attacks like any other), an attacker could change the code that your tags point to, gaining access to your secrets and/or write permissions to your repository.
Proposed Solution
A solution for this problem would be to hash-pin those sensitive dependencies. For the GitHub Actions, we'd point the actions to the very specific commit of that release. It follows an example of the change:
And this would enforce that your action is always running at the expected code.
For the python dependency, we could install them using Python hash-checking mode.
The only downsize of those solutions is that it gets trickier to manually update the version of the actions as they get out-of-date, but that can be solved by using a Dependency-Update-Tool (like dependabot or renovatebot). We can configure it to update all workflow dependencies in a single monthly PR, for example -- for security updates, the tool would immediately create the PRs regardless of the frequency set. For the case of the hash-pinning, the PRs would still keep a comment with the human-readable version used =).
Conclusion
I'll take the liberty of raising a PR implementing my suggestions, so that it becomes easier for you to evaluate. Let me know if you have any questions or concerns.
The text was updated successfully, but these errors were encountered: