Vendor in third party actions

jelly-beam / otp-macos

Pre-compiled Erlang/OTP for macOS GHA runners

Other

4 stars 0 forks source link

Vendor in third party actions #3

Open starbelly opened 1 year ago

starbelly commented 1 year ago

One way the building of artifacts is vulnerable to attack is via third party actions. There's a lot of trust in that chain.

Optimally, we vendor in and audit at the time of vendoring each third party action we use.

We should also look to reduce third-party actions. As an example, we're using shellcheck right now, that's very nice, but we could also run shell check locally and reduce the surface area of attack.

If we find that too cumbersome in some instances we can still at lock a third party action at a particular sha (i.e., use foo@sha ). See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions for more details on that.

Edit: when we pull stuff in (via curl, wget or git) verify that the origin is Ok by comparing SHA checksums or whatever is available.

starbelly commented 1 year ago

We should also vendor in kerl

paulo-ferraz-oliveira commented 1 year ago

Vendoring in kerl should be easy, but for the actions do you mean just the top file and then build them locally? Because e.g. actions that are Node.js based are "huge" (because of their dependencies).

starbelly commented 1 year ago

@paulo-ferraz-oliveira Yeah, I should have noted, I have no idea what vendoring in an action looks like, so it may be hmm, not great 😢 You made the call out : Their dependencies. Ahh, that makes me sad, so maybe pinning is the best effort.

paulo-ferraz-oliveira commented 1 year ago

I'll still leave this open until I check it further.

There's several options here:

implement the action as a "script" for the (hopefully) very reduced scope we're using
keep it pinned
vendor it in

My real preference goes to 1. (2. and 3. are in order of preference, too) but that will surely imply a higher maintenance cost.

paulo-ferraz-oliveira commented 1 year ago

I'd even vendor actions/checkout (and I did try, but I ran into issues regarding folder manipulation, so rolled back on my experiment). In any case it'd be good to get rid of that to: one less dep. and I don't consider GitHub-issued code to be more secure than any other 3rd party, fwiw.

paulo-ferraz-oliveira commented 1 month ago

Check what's needed in https://github.com/jelly-beam/otp-macos/settings/actions, under Allow specified actions and reusable workflows. It's only 3 actions for now.