-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable cache storage for stalebot #4396
Conversation
Fixes the following warning on all workflow runs: “ Warning: Error delete _state: [403] Resource not accessible by integration” |
@nodejs/actions |
I'm -1 on this - citing actions/stale#1133 (comment) - on it's surface it seems like a HUGE addition of permissions to surpress a warning. |
@bmuenzenmeyer That may be true, but this action is sending its permissions to |
Wouldn't finding an error to compromise in a pinned version of an action be the kind of thing that happens once in a while in the real world and not an unthinkably small risk? |
It's an unthinkably small risk, because the worst case, an attacker who (A) compromises the GitHub actions repository, and (B) makes a new commit with the same pinned hash, they still won't be able to compromise this, and the only thing that will happen is the stale bot would stop working because of a conflicting head ref. SHA collisions in Git don't overwrite commits, they simply stop working. So, the attacker would need to compromise GitHub actions (unlikely), run a SHA collision (even more unlikely), and then what do they gain? The stale bot stops working. (Reference: https://stackoverflow.com/questions/9392365/how-would-git-handle-a-sha-1-collision-on-a-blob) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
appreciate the careful discussion here - a tiny nit - it's nice to have the version number of the SHA at the end of the line as a comment.
dependabot can keep both up to date in the future
suggest we still have someone within @nodejs/actions review
Co-authored-by: Brian Muenzenmeyer <[email protected]>
I'm thinking of someone exploiting an existing bug in the version of the action that we're using, not forcing us to check out different code. |
And yeah, exploiting an existing bug can happen with any version, but the point is we're giving stalebot a lot of extra permissions so it can do a lot more damage. That said, this isn't blocking. I'm genuinely unsure about the likelihood of exploitable bugs in an action and the extent to which damage could be done with these permissions. If you're comfortable with it and others are comfortable with it, I can be dismissed as someone who needs to stop commenting about things he doesn't know a lot about. :-D |
Oh, well, in my opinion, that is unlikely, as this is used throughout all of github, so I assume they are monitoring the code of vulnerabilities constantly. I also looked over the code, and arbitrary data (such as issue titles) aren't used in unsafe places (or at all really). |
I'm personally fine with it, but @nodejs/actions should probably check it out. Because this repo has so little actions and so little data to compromise, the worst that can be done is a rerun/run/disable/cancel of the stalebot, or a deletion of its cache. Keep in mind this also means that the attacker found a vulnerability in the stalebot, which is a difficult task itself. |
Sounds good. Thanks. Let's give it another day or two for @nodejs/actions folks (or other knowledgable folks--maybe some people on @nodejs/build?) to comment. |
@marco-ippolito, seeing as you, a member of @nodejs/actions approved, do you think this is safe enough to merge? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
@redyetidev Can you create an issue to track the changes on actions stale to see if they will create a version that requires less permission? You can link this PR and the issues on actions/stale to revert this change as soon we have a version that requires less permission.
This PR should make the Stalebot more efficient via allowing it to utilize GitHub caching, which needs actions write permissions in order to update the existing cache.