Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable cache storage for stalebot #4396

Merged
merged 3 commits into from
May 30, 2024
Merged

Enable cache storage for stalebot #4396

merged 3 commits into from
May 30, 2024

Conversation

avivkeller
Copy link
Member

This PR should make the Stalebot more efficient via allowing it to utilize GitHub caching, which needs actions write permissions in order to update the existing cache.

@avivkeller
Copy link
Member Author

Fixes the following warning on all workflow runs:

“ Warning: Error delete _state: [403] Resource not accessible by integration”

@Trott
Copy link
Member

Trott commented May 28, 2024

@nodejs/actions

@bmuenzenmeyer
Copy link
Contributor

I'm -1 on this - citing actions/stale#1133 (comment) - on it's surface it seems like a HUGE addition of permissions to surpress a warning.

@avivkeller
Copy link
Member Author

avivkeller commented May 28, 2024

@bmuenzenmeyer That may be true, but this action is sending its permissions to actions/cache, without using any arbitrary data, so I don't see a security concern. An attacker would need to compromise Github Actions to compromise this, and even then, I've pushed an SHA pinned commit, so even the action itself's compromise wouldn't affect this workflow.

@Trott
Copy link
Member

Trott commented May 28, 2024

@bmuenzenmeyer That may be true, but this action is sending its permissions to actions/cache, without using any arbitrary data, so I don't see a security concern. An attacker would need to compromise Github Actions to compromise this, and even then, I've pushed an SHA pinned commit, so even the action itself's compromise wouldn't affect this workflow.

Wouldn't finding an error to compromise in a pinned version of an action be the kind of thing that happens once in a while in the real world and not an unthinkably small risk?

@avivkeller
Copy link
Member Author

avivkeller commented May 28, 2024

Wouldn't finding an error to compromise in a pinned version of an action be the kind of thing that happens once in a while in the real world and not an unthinkably small risk?

It's an unthinkably small risk, because the worst case, an attacker who (A) compromises the GitHub actions repository, and (B) makes a new commit with the same pinned hash, they still won't be able to compromise this, and the only thing that will happen is the stale bot would stop working because of a conflicting head ref. SHA collisions in Git don't overwrite commits, they simply stop working.

So, the attacker would need to compromise GitHub actions (unlikely), run a SHA collision (even more unlikely), and then what do they gain? The stale bot stops working.

(Reference: https://stackoverflow.com/questions/9392365/how-would-git-handle-a-sha-1-collision-on-a-blob)

Copy link
Contributor

@bmuenzenmeyer bmuenzenmeyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

appreciate the careful discussion here - a tiny nit - it's nice to have the version number of the SHA at the end of the line as a comment.

dependabot can keep both up to date in the future

suggest we still have someone within @nodejs/actions review

.github/workflows/close-stale-issues.yml Outdated Show resolved Hide resolved
Co-authored-by: Brian Muenzenmeyer <[email protected]>
@Trott
Copy link
Member

Trott commented May 28, 2024

t's an unthinkably small risk, because the worst case, an attacker who (A) compromises the GitHub actions repository

I'm thinking of someone exploiting an existing bug in the version of the action that we're using, not forcing us to check out different code.

@Trott
Copy link
Member

Trott commented May 28, 2024

t's an unthinkably small risk, because the worst case, an attacker who (A) compromises the GitHub actions repository

I'm thinking of someone exploiting an existing bug in the version of the action that we're using, not forcing us to check out different code.

And yeah, exploiting an existing bug can happen with any version, but the point is we're giving stalebot a lot of extra permissions so it can do a lot more damage.

That said, this isn't blocking. I'm genuinely unsure about the likelihood of exploitable bugs in an action and the extent to which damage could be done with these permissions. If you're comfortable with it and others are comfortable with it, I can be dismissed as someone who needs to stop commenting about things he doesn't know a lot about. :-D

@avivkeller
Copy link
Member Author

t's an unthinkably small risk, because the worst case, an attacker who (A) compromises the GitHub actions repository

I'm thinking of someone exploiting an existing bug in the version of the action that we're using, not forcing us to check out different code.

Oh, well, in my opinion, that is unlikely, as this is used throughout all of github, so I assume they are monitoring the code of vulnerabilities constantly. I also looked over the code, and arbitrary data (such as issue titles) aren't used in unsafe places (or at all really).

@avivkeller
Copy link
Member Author

avivkeller commented May 28, 2024

That said, this isn't blocking. I'm genuinely unsure about the likelihood of exploitable bugs in an action and the extent to which damage could be done with these permissions. If you're comfortable with it and others are comfortable with it, I can be dismissed as someone who needs to stop commenting about things he doesn't know a lot about. :-D

I'm personally fine with it, but @nodejs/actions should probably check it out.

Because this repo has so little actions and so little data to compromise, the worst that can be done is a rerun/run/disable/cancel of the stalebot, or a deletion of its cache.

Keep in mind this also means that the attacker found a vulnerability in the stalebot, which is a difficult task itself.

@Trott
Copy link
Member

Trott commented May 28, 2024

Sounds good. Thanks. Let's give it another day or two for @nodejs/actions folks (or other knowledgable folks--maybe some people on @nodejs/build?) to comment.

@avivkeller
Copy link
Member Author

@marco-ippolito, seeing as you, a member of @nodejs/actions approved, do you think this is safe enough to merge?

Copy link
Member

@H4ad H4ad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@redyetidev Can you create an issue to track the changes on actions stale to see if they will create a version that requires less permission? You can link this PR and the issues on actions/stale to revert this change as soon we have a version that requires less permission.

@avivkeller
Copy link
Member Author

actions/stale#1159

@Trott Trott merged commit 48dd657 into nodejs:main May 30, 2024
@avivkeller avivkeller deleted the patch-4 branch June 3, 2024 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants