You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2021/01/21 16:01:23 UTC
[airflow] 03/04: Disable persisting credentials in Github Action's
checkout (#13389)
This is an automated email from the ASF dual-hosted git repository.
kaxilnaik pushed a commit to branch v1-10-test
in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 52d0f57e3142207973d4f369fb4a8dc2d2f76aaf
Author: Jarek Potiuk <ja...@polidea.com>
AuthorDate: Wed Dec 30 14:25:29 2020 +0100
Disable persisting credentials in Github Action's checkout (#13389)
This PR disables persisting credentials in Github Actions checkout.
This is a result of discussion in builds@apache.org
https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
It turns out that contrary to the documentation actios (specifically
checkout action) can use GITHUB_TOKEN without specifying it as
input in the yaml file and the GitHub checkout action
leaves the repository with credentials stored locally that
enable pushing to Github Repository by any step in the same
job. This was thought to be forbidden initially (and the
documentation clearly says that the action must have the
GITHUB_TOKEN passed to it in .yaml workflow in order to
use it). But apparently it behaves differently.
This leaves open an attack vector where for example
any PIP package installed in the following steps could push
any changes to GitHub Repository of Apache Airflow.
Security incidents have been reported to both GitHub and
Apache Security team, but in the meantime we add configuration
to remove credentials after checkout step.
https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow
> Using the GITHUB_TOKEN in a workflow
> To use the GITHUB_TOKEN secret, you *must* reference it in your workflow
file. Using a token might include passing the token as an input to an
action that requires it, or making authenticated GitHub API calls.
(cherry picked from commit d079b913d283378dca37dc9ea25b04186d3e326c)
---
.github/workflows/build-images-workflow-run.yml | 7 ++++
.github/workflows/ci.yml | 41 +++++++++++++++++++++-
.github/workflows/codeql-analysis.yml | 2 ++
.../workflows/label_when_reviewed_workflow_run.yml | 5 +++
.github/workflows/scheduled_quarantined.yml | 2 ++
5 files changed, 56 insertions(+), 1 deletion(-)
diff --git a/.github/workflows/build-images-workflow-run.yml b/.github/workflows/build-images-workflow-run.yml
index 778ff54..bed5dfc 100644
--- a/.github/workflows/build-images-workflow-run.yml
+++ b/.github/workflows/build-images-workflow-run.yml
@@ -207,6 +207,8 @@ jobs:
if: needs.cancel-workflow-runs.outputs.sourceEvent == 'pull_request'
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: >
Event: ${{ needs.cancel-workflow-runs.outputs.sourceEvent }}
Repo: ${{ needs.cancel-workflow-runs.outputs.sourceHeadRepo }}
@@ -224,10 +226,13 @@ jobs:
with:
ref: ${{ needs.cancel-workflow-runs.outputs.targetCommitSha }}
fetch-depth: 2
+ persist-credentials: false
if: needs.cancel-workflow-runs.outputs.sourceEvent == 'pull_request'
# checkout the master version again, to use the right script in master workflow
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: Selective checks
id: selective-checks
env:
@@ -279,6 +284,7 @@ jobs:
uses: actions/checkout@v2
with:
ref: ${{ needs.cancel-workflow-runs.outputs.targetCommitSha }}
+ persist-credentials: false
- name: "Retrieve DEFAULTS from the _initialization.sh"
# We cannot "source" the script here because that would be a security problem (we cannot run
# any code that comes from the sources coming from the PR. Therefore we extract the
@@ -323,6 +329,7 @@ jobs:
with:
path: "main-airflow"
ref: "${{ needs.cancel-workflow-runs.outputs.targetBranch }}"
+ persist-credentials: false
if: steps.defaults.outputs.proceed == 'true'
- name: "Setup python"
uses: actions/setup-python@v2
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7902f6c..728dfb0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -105,6 +105,8 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: >
Event: ${{ github.event_name }}
Repo: ${{ steps.source-run-info.outputs.sourceHeadRepo }}
@@ -126,6 +128,7 @@ jobs:
with:
ref: ${{ github.sha }}
fetch-depth: 2
+ persist-credentials: false
if: github.event_name == 'pull_request'
- name: Selective checks
id: selective-checks
@@ -155,6 +158,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -192,6 +197,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Free space"
run: ./scripts/ci/tools/ci_free_space_on_ci.sh
if: needs.build-info.outputs.waitForImage == 'true'
@@ -207,13 +214,15 @@ jobs:
runs-on: ubuntu-20.04
needs: [build-info, ci-images]
env:
- SKIP: "pylint,identity"
+ SKIP: "identity"
MOUNT_LOCAL_SOURCES: "true"
PYTHON_MAJOR_MINOR_VERSION: ${{needs.build-info.outputs.defaultPythonVersion}}
if: needs.build-info.outputs.basic-checks-only == 'false'
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -250,6 +259,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -267,6 +278,7 @@ jobs:
with:
ref: ${{ github.sha }}
fetch-depth: 2
+ persist-credentials: false
- name: "Static checks: basic checks only"
run: |
./scripts/ci/static_checks/run_basic_static_checks.sh "${{ github.sha }}"
@@ -282,6 +294,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Prepare CI image ${{env.PYTHON_MAJOR_MINOR_VERSION}}:${{ env.GITHUB_REGISTRY_PULL_IMAGE_TAG }}"
run: ./scripts/ci/images/ci_prepare_ci_image_on_ci.sh
- name: "Build docs"
@@ -311,6 +325,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -367,6 +383,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -422,6 +440,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -474,6 +494,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -531,6 +553,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -618,6 +642,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -649,6 +675,8 @@ jobs:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
if: needs.build-info.outputs.waitForImage == 'true'
+ with:
+ persist-credentials: false
- name: "Free space"
run: ./scripts/ci/tools/ci_free_space_on_ci.sh
if: needs.build-info.outputs.waitForImage == 'true'
@@ -683,6 +711,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -762,6 +792,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -800,6 +832,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -830,6 +864,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Setup python"
uses: actions/setup-python@v2
with:
@@ -867,6 +903,8 @@ jobs:
steps:
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: "Set constraints branch name"
id: constraints-branch
run: ./scripts/ci/constraints/ci_branch_constraints.sh
@@ -875,6 +913,7 @@ jobs:
with:
path: "repo"
ref: ${{ steps.constraints-branch.outputs.branch }}
+ persist-credentials: false
- name: "Get all artifacts (constraints)"
uses: actions/download-artifact@v2
with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9fa7b94..8bdd809 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -36,6 +36,7 @@ jobs:
uses: actions/checkout@v2
with:
fetch-depth: 2
+ persist-credentials: false
- name: Selective checks
id: selective-checks
env:
@@ -68,6 +69,7 @@ jobs:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
fetch-depth: 2
+ persist-credentials: false
if: |
matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' ||
matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true'
diff --git a/.github/workflows/label_when_reviewed_workflow_run.yml b/.github/workflows/label_when_reviewed_workflow_run.yml
index d66472b..4400bae 100644
--- a/.github/workflows/label_when_reviewed_workflow_run.yml
+++ b/.github/workflows/label_when_reviewed_workflow_run.yml
@@ -51,6 +51,8 @@ jobs:
"}
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: >
Event: ${{ steps.source-run-info.outputs.sourceEvent }}
Repo: ${{ steps.source-run-info.outputs.sourceHeadRepo }}
@@ -68,9 +70,12 @@ jobs:
with:
ref: ${{ steps.source-run-info.outputs.targetCommitSha }}
fetch-depth: 2
+ persist-credentials: false
# checkout the master version again, to use the right script in master workflow
- name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- name: Selective checks
id: selective-checks
env:
diff --git a/.github/workflows/scheduled_quarantined.yml b/.github/workflows/scheduled_quarantined.yml
index 9877e4c..3071693 100644
--- a/.github/workflows/scheduled_quarantined.yml
+++ b/.github/workflows/scheduled_quarantined.yml
@@ -79,6 +79,8 @@ jobs:
needs.trigger-tests.outputs.run-tests == 'true' || github.event_name != 'pull_request'
steps:
- uses: actions/checkout@v2
+ with:
+ persist-credentials: false
- uses: actions/setup-python@v2
with:
python-version: '3.7'