Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: make greetings on PR First-time Contrib #8885

Open
wants to merge 3 commits into
base: develop
Choose a base branch
from

Conversation

ddevsr
Copy link
Collaborator

@ddevsr ddevsr commented May 11, 2024

Description
Ref codeigniter4/CodeIgniter4#8878.

Checklist:

  • Securely signed commits
  • Component(s) with PHPDoc blocks, only if necessary or adds value
  • Unit testing, with >80% coverage
  • User guide updated
  • Conforms to style guide

@ddevsr ddevsr added the github_actions Pull requests that update Github_actions code label May 11, 2024
kenjis
kenjis previously approved these changes May 11, 2024
@kenjis kenjis dismissed their stale review May 11, 2024 01:58

pull_requedt_target should not be used for security reasons.

@kenjis
Copy link
Member

kenjis commented May 11, 2024

By Claude 3 Sonnet.

Q: We are running an open source project on GitHub and using GitHub Actions for all pull requests. What are the security considerations when using pull_requedt_target in workflows?

When using the pull_request_target event in GitHub Actions workflows, there are some important security considerations to keep in mind:

  1. Untrusted Code: The pull_request_target event runs the workflow code from the pull request's head commit, which means it executes code from an untrusted source. This code could potentially be malicious, so it's crucial to ensure that your workflow doesn't perform any sensitive operations or expose any secrets.

  2. Code Injection: If your workflow includes steps that allow user input or use external data sources, there's a risk of code injection attacks. Malicious code could be injected into your workflow, leading to unintended actions or data leaks.

  3. Permissions: By default, the pull_request_target event runs with read-only permissions to the repository. However, if your workflow requires write access, you'll need to grant the GITHUB_TOKEN permissions explicitly. This introduces a potential risk if the workflow is compromised, as it could then make unauthorized changes to your repository.

  4. Secrets Exposure: If your workflow uses secrets (e.g., API keys, passwords), they could potentially be exposed to the untrusted code in the pull request. It's recommended to avoid using secrets in workflows triggered by the pull_request_target event, or at least limit their usage to read-only operations.

  5. Resource Exhaustion: Malicious pull requests could attempt to overwhelm your system resources (e.g., CPU, memory, disk space) by running resource-intensive operations in the workflow. It's important to set reasonable limits and monitor resource usage.

To mitigate these risks, consider the following best practices:

  1. Validate Inputs: Sanitize and validate all inputs and data sources used in your workflow to prevent code injection attacks.
  2. Minimize Permissions: Grant the minimum required permissions to the GITHUB_TOKEN or use a custom token with limited scope.
  3. Avoid Secrets: If possible, avoid using secrets in workflows triggered by the pull_request_target event. If you must use secrets, ensure they are only used for read-only operations.
  4. Resource Limits: Set appropriate resource limits for your workflows to prevent resource exhaustion attacks.
  5. Code Review: Thoroughly review the code in pull requests before merging, especially if the workflow performs sensitive operations.
  6. Monitoring and Logging: Implement monitoring and logging mechanisms to detect and respond to potential security incidents or misuse.
  7. Security Updates: Keep your GitHub Actions environment and dependencies up-to-date with the latest security patches and updates.

By following these best practices, you can mitigate the risks associated with running untrusted code in your GitHub Actions workflows and maintain a secure environment for your open-source project.

@paulbalandan
Copy link
Member

Based on actions/first-interaction's readme, it is enough to use pull_request event:
https://github.com/actions/first-interaction?tab=readme-ov-file#usage

@kenjis
Copy link
Member

kenjis commented Jun 12, 2024

See actions/first-interaction#31

@ddevsr ddevsr requested review from kenjis and paulbalandan August 8, 2024 08:23
@kenjis
Copy link
Member

kenjis commented Aug 8, 2024

@ddevsr Thank you. But did you test this works on pull requests by contributers?

@kenjis
Copy link
Member

kenjis commented Aug 8, 2024

By ChatGPT.

Using pull_request_target in GitHub Actions workflows comes with several security considerations, especially for open-source projects where pull requests (PRs) may come from untrusted contributors. Here’s what you need to keep in mind:

1. Access to Secrets

  • Workflows triggered by pull_request_target run in the context of the base repository (i.e., the repository into which the PR is being merged). This means they have access to secrets and can perform actions with the repository's permissions.
  • An attacker could potentially submit a malicious PR to exploit this, accessing secrets or performing unauthorized actions.

2. Careful with Untrusted Code

  • Avoid checking out and running untrusted code directly from the PR in these workflows. If you do need to check out the PR, consider using actions/checkout with ref: ${{ github.event.pull_request.head.ref }} instead of the PR’s branch, but be cautious.
  • One safer approach is to validate the PR (e.g., linting, formatting, running tests) without exposing secrets or doing anything sensitive.

3. Use Limited Scopes

  • Ensure the GitHub token (GITHUB_TOKEN) or any other credentials used in the workflow are scoped appropriately, limiting permissions as much as possible.
  • Consider using the permissions key in the workflow file to restrict the default permissions of the GITHUB_TOKEN.

4. Review and Approval

  • Implement mandatory code reviews before workflows using pull_request_target can be merged. This adds an additional layer of protection by ensuring that a maintainer reviews potentially malicious code before it executes.

5. Limit Workflow Modifications

  • Be cautious about allowing workflows or configuration files to be modified in PRs, as these changes could be exploited. Ensure that any changes to workflow files are reviewed thoroughly.

6. Consider Alternative Triggers

  • For untrusted code or contributors, consider using pull_request instead of pull_request_target if you don’t need access to secrets or write permissions. This trigger runs in the context of the fork, offering more isolation.

7. Custom Environment Variables

  • Be careful when passing custom environment variables to workflows triggered by pull_request_target. Avoid passing sensitive information directly from the PR.

Summary

Using pull_request_target is powerful but should be approached with caution, especially in open-source projects. The key is to limit exposure and access to sensitive resources, thoroughly review untrusted code, and ensure workflows are tightly controlled and reviewed.

@@ -1,13 +1,14 @@
name: Greetings

on: [pull_request_target]
on: [pull_request]

jobs:
greeting:
runs-on: ubuntu-latest
permissions:
issues: read
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line does not seem to be needed.

Suggested change
issues: read

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
github_actions Pull requests that update Github_actions code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants