You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2020/12/30 13:22:05 UTC

[GitHub] [airflow] potiuk opened a new pull request #13389: Disable persisting credentials in Github Action's checkout

potiuk opened a new pull request #13389:
URL: https://github.com/apache/airflow/pull/13389


   This PR disables persisting credentials in Github Actions checkout.
   
   This is a result of discussion in builds@apache.org
   https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
   
   It turns out that contrary to the documentation actios (specifically
   checkout action) can use GITHUB_TOKEN without specifying it as
   input in the yaml file and the GitHub checkout action
   leaves the repository with credentials stored locally that
   enable pushing to Github Repository by any step in the same
   job. This was thought to be forbidden initially (and the
   documentation clearly says that the action must have the
   GITHUB_TOKEN passed to it in .yaml workflow in order to
   use it). But apparently it behaves differently.
   
   This leaves open an attack vector where for example
   any PIP package installed in the following steps could push
   any changes to GitHub Repository of Apache Airflow.
   
   Security incidents have been reported to both GitHub and
   Apache Security team, but in the meantime we add configuration
   to remove credentials after checkout step.
   
   https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow
   
   > Using the GITHUB_TOKEN in a workflow
   
   > To use the GITHUB_TOKEN secret, you *must* reference it in your workflow
     file. Using a token might include passing the token as an input to an
     action that requires it, or making authenticated GitHub API calls.
   
   <!--
   Thank you for contributing! Please make sure that your code changes
   are covered with tests. And in case of new features or big changes
   remember to adjust the documentation.
   
   Feel free to ping committers for the review!
   
   In case of existing issue, reference it using one of the following:
   
   closes: #ISSUE
   related: #ISSUE
   
   How to write a good git commit message:
   http://chris.beams.io/posts/git-commit/
   -->
   
   ---
   **^ Add meaningful description above**
   
   Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)** for more information.
   In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed.
   In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
   In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md).
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk merged pull request #13389: Disable persisting credentials in Github Action's checkout

Posted by GitBox <gi...@apache.org>.
potiuk merged pull request #13389:
URL: https://github.com/apache/airflow/pull/13389


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] github-actions[bot] commented on pull request #13389: Disable persisting credentials in Github Action's checkout

Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #13389:
URL: https://github.com/apache/airflow/pull/13389#issuecomment-752594365


   The PR most likely needs to run full matrix of tests because it modifies parts of the core of Airflow. However, committers might decide to merge it quickly and take the risk. If they don't merge it quickly - please rebase it to the latest master at your convenience, or amend the last commit of the PR, and push it with --force-with-lease.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org