You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airflow.apache.org by Jarek Potiuk <ja...@potiuk.com> on 2020/12/27 13:14:29 UTC
[Security incident] [CI Outage] GitHub Actions from outside of Apache
not allowed
The ASF Infra made a sudden change in the GitHub Actions settings this
morning. This was apparently as a response to a security incident. More
info in this thread:
https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
We were not affected by the security problem, because we discussed those
potential attack vectors and we have been following the "pinned hashed"
approach for github actions:
https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
However, change in the policy means that our builds stopped working. I am
working now to bring the actions we use to 'Apache' owned repositories and
switch to those actions now.
Stay tuned.
J,
--
+48 660 796 129
[Security incident] [CI Outage] GitHub Actions from outside of Apache
not allowed [SOLVED]
Posted by Jarek Potiuk <ja...@potiuk.com>.
Please make sure to rebase to the latest master.
I brought 7 new repositories to apache/airflow-* for now and switched to
those (for now)
The discussions about the new policy continue however, because there are
some gaping holes in the approach we have now, which I pointed at. Feel
free to join discussions there:
Discussion builds@apache.org:
https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
Discussion users@infra.apache.org:
https://lists.apache.org/thread.html/r900f8f9a874006ed8121bdc901a0d1acccbb340882c1f94dad61a5e9%40%3Cusers.infra.apache.org%3E
J.
On Sun, Dec 27, 2020 at 3:38 PM Jarek Potiuk <ja...@potiuk.com> wrote:
> I moved all actions to apache-airflow owned repositories and have PR ready
> that should fix it: https://github.com/apache/airflow/pull/13327
>
>
> On Sun, Dec 27, 2020 at 2:14 PM Jarek Potiuk <ja...@potiuk.com> wrote:
>
>> The ASF Infra made a sudden change in the GitHub Actions settings this
>> morning. This was apparently as a response to a security incident. More
>> info in this thread:
>>
>>
>> https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
>>
>> We were not affected by the security problem, because we discussed those
>> potential attack vectors and we have been following the "pinned hashed"
>> approach for github actions:
>> https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
>>
>> However, change in the policy means that our builds stopped working. I am
>> working now to bring the actions we use to 'Apache' owned repositories and
>> switch to those actions now.
>>
>> Stay tuned.
>>
>> J,
>>
>> --
>> +48 660 796 129
>>
>
>
> --
> +48 660 796 129
>
--
+48 660 796 129
Re: [Security incident] [CI Outage] GitHub Actions from outside of
Apache not allowed
Posted by Jarek Potiuk <ja...@potiuk.com>.
I moved all actions to apache-airflow owned repositories and have PR ready
that should fix it: https://github.com/apache/airflow/pull/13327
On Sun, Dec 27, 2020 at 2:14 PM Jarek Potiuk <ja...@potiuk.com> wrote:
> The ASF Infra made a sudden change in the GitHub Actions settings this
> morning. This was apparently as a response to a security incident. More
> info in this thread:
>
>
> https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E
>
> We were not affected by the security problem, because we discussed those
> potential attack vectors and we have been following the "pinned hashed"
> approach for github actions:
> https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
>
> However, change in the policy means that our builds stopped working. I am
> working now to bring the actions we use to 'Apache' owned repositories and
> switch to those actions now.
>
> Stay tuned.
>
> J,
>
> --
> +48 660 796 129
>
--
+48 660 796 129