You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by po...@apache.org on 2020/12/30 13:25:49 UTC
[airflow] branch master updated: Disable persisting credentials in
Github Action's checkout (#13389)
This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/master by this push:
new d079b91 Disable persisting credentials in Github Action's checkout (#13389)
d079b91 is described below
commit d079b913d283378dca37dc9ea25b04186d3e326c
Author: Jarek Potiuk <ja...@polidea.com>
AuthorDate: Wed Dec 30 14:25:29 2020 +0100
Disable persisting credentials in Github Action's checkout (#13389)
This PR disables persisting credentials in Github Actions checkout.
This is a result of discussion in builds@apache.org
https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
It turns out that contrary to the documentation actios (specifically
checkout action) can use GITHUB_TOKEN without specifying it as
input in the yaml file and the GitHub checkout action
leaves the repository with credentials stored locally that
enable pushing to Github Repository by any step in the same
job. This was thought to be forbidden initially (and the
documentation clearly says that the action must have the
GITHUB_TOKEN passed to it in .yaml workflow in order to
use it). But apparently it behaves differently.
This leaves open an attack vector where for example
any PIP package installed in the following steps could push
any changes to GitHub Repository of Apache Airflow.
Security incidents have been reported to both GitHub and
Apache Security team, but in the meantime we add configuration
to remove credentials after checkout step.
https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow
> Using the GITHUB_TOKEN in a workflow
> To use the GITHUB_TOKEN secret, you *must* reference it in your workflow
file. Using a token might include passing the token as an input to an
action that requires it, or making authenticated GitHub API calls.
---
.github/workflows/build-images-workflow-run.yml | 7 ++++
.github/workflows/ci.yml | 47 ++++++++++++++++++++++
.github/workflows/codeql-analysis.yml | 2 +
.../workflows/label_when_reviewed_workflow_run.yml | 5 +++
.github/workflows/repo_sync.yml | 2 +
.github/workflows/scheduled_quarantined.yml | 2 +
6 files changed, 65 insertions(+)
diff --git a/.github/workflows/build-images-workflow-run.yml b/.github/workflows/build-images-workflow-run.yml
index 8e6b607..9efb278 100644
--- a/.github/workflows/build-images-workflow-run.yml
+++ b/.github/workflows/build-images-workflow-run.yml
@@ -198,6 +198,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: >
Event: ${{ needs.cancel-workflow-runs.outputs.sourceEvent }}
Repo: ${{ needs.cancel-workflow-runs.outputs.sourceHeadRepo }}
@@ -215,10 +217,13 @@ jobs:
with:
ref: ${{ needs.cancel-workflow-runs.outputs.targetCommitSha }}
fetch-depth: 2
+ persist-credentials: false
if: needs.cancel-workflow-runs.outputs.sourceEvent == 'pull_request'
# checkout the master version again, to use the right script in master workflow
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: Selective checks
id: selective-checks
env:
@@ -270,6 +275,7 @@ jobs:
uses: actions/checkout@v2
with:
ref: ${{ needs.cancel-workflow-runs.outputs.targetCommitSha }}
+ persist-credentials: false
- name: "Retrieve DEFAULTS from the _initialization.sh"
# We cannot "source" the script here because that would be a security problem (we cannot run
# any code that comes from the sources coming from the PR. Therefore we extract the
@@ -313,6 +319,7 @@ jobs:
with:
path: "main-airflow"
ref: "${{ needs.cancel-workflow-runs.outputs.targetBranch }}"
+ persist-credentials: false
if: steps.defaults.outputs.proceed == 'true'
- name: "Setup python"
uses: actions/setup-python@v2
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6edf418..c572305 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -107,6 +107,8 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: >
Event: ${{ github.event_name }}
Repo: ${{ steps.source-run-info.outputs.sourceHeadRepo }}
@@ -128,6 +130,7 @@ jobs:
with:
ref: ${{ github.sha }}
fetch-depth: 2
+ persist-credentials: false
if: github.event_name == 'pull_request'
- name: Selective checks
id: selective-checks
@@ -154,6 +157,7 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 2
+ persist-credentials: false
- name: "Generate client codegen diff"
run: ./scripts/ci/openapi/client_codegen_diff.sh
@@ -170,6 +174,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -207,6 +213,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Free space"
run: ./scripts/ci/tools/ci_free_space_on_ci.sh
if: needs.build-info.outputs.waitForImage == 'true'
@@ -229,6 +237,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -264,6 +274,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -280,6 +292,7 @@ jobs:
with:
ref: ${{ github.sha }}
fetch-depth: 2
+ persist-credentials: false
- name: "Static checks: basic checks only"
run: |
./scripts/ci/static_checks/run_basic_static_checks.sh "${{ github.sha }}"
@@ -305,6 +318,7 @@ jobs:
uses: actions/setup-python@v2
with:
python-version: ${{needs.build-info.outputs.defaultPythonVersion}}
+ persist-credentials: false
- name: "Cache pre-commit env"
uses: actions/cache@v2
with:
@@ -329,6 +343,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Prepare CI image ${{env.PYTHON_MAJOR_MINOR_VERSION}}:${{ env.GITHUB_REGISTRY_PULL_IMAGE_TAG }}"
run: ./scripts/ci/images/ci_prepare_ci_image_on_ci.sh
- name: "Build docs"
@@ -376,6 +392,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -423,6 +441,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -471,6 +491,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -527,6 +549,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -582,6 +606,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -634,6 +660,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -691,6 +719,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -778,6 +808,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -809,6 +841,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Free space"
run: ./scripts/ci/tools/ci_free_space_on_ci.sh
if: needs.build-info.outputs.waitForImage == 'true'
@@ -843,6 +877,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -920,6 +956,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -960,6 +998,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -990,6 +1030,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -1028,6 +1070,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Set constraints branch name"
id: constraints-branch
run: ./scripts/ci/constraints/ci_branch_constraints.sh
@@ -1036,6 +1080,7 @@ jobs:
with:
path: "repo"
ref: ${{ steps.constraints-branch.outputs.branch }}
+ persist-credentials: false
- name: "Get all artifacts (constraints)"
uses: actions/download-artifact@v2
with:
@@ -1067,6 +1112,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Free space"
run: ./scripts/ci/tools/ci_free_space_on_ci.sh
- name: "Tag commit"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9fa7b94..8bdd809 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -36,6 +36,7 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 2
+ persist-credentials: false
- name: Selective checks
id: selective-checks
env:
@@ -68,6 +69,7 @@ jobs:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
+ persist-credentials: false
if: |
matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' ||
matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true'
diff --git a/.github/workflows/label_when_reviewed_workflow_run.yml b/.github/workflows/label_when_reviewed_workflow_run.yml
index d66472b..4400bae 100644
--- a/.github/workflows/label_when_reviewed_workflow_run.yml
+++ b/.github/workflows/label_when_reviewed_workflow_run.yml
@@ -51,6 +51,8 @@ jobs:
"}
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: >
Event: ${{ steps.source-run-info.outputs.sourceEvent }}
Repo: ${{ steps.source-run-info.outputs.sourceHeadRepo }}
@@ -68,9 +70,12 @@ jobs:
with:
ref: ${{ steps.source-run-info.outputs.targetCommitSha }}
fetch-depth: 2
+ persist-credentials: false
# checkout the master version again, to use the right script in master workflow
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: Selective checks
id: selective-checks
env:
diff --git a/.github/workflows/repo_sync.yml b/.github/workflows/repo_sync.yml
index 5df2e91..21232ba 100644
--- a/.github/workflows/repo_sync.yml
+++ b/.github/workflows/repo_sync.yml
@@ -25,6 +25,8 @@ jobs:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@master
+ with:
+ persist-credentials: false
- name: repo-sync
uses: repo-sync/github-sync@v2
with:
diff --git a/.github/workflows/scheduled_quarantined.yml b/.github/workflows/scheduled_quarantined.yml
index 1ce2333..2026ff9 100644
--- a/.github/workflows/scheduled_quarantined.yml
+++ b/.github/workflows/scheduled_quarantined.yml
@@ -62,6 +62,8 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v2
with:
python-version: '3.7'