CI: Figure out a way to safely sandbox contributor pull-requests but still get build results

rerun-io / rerun

Visualize streams of multimodal data. Free, fast, easy to use, and simple to integrate. Built in Rust.

https://rerun.io/

Apache License 2.0

6.52k stars 327 forks source link

CI: Figure out a way to safely sandbox contributor pull-requests but still get build results #1994

Open jleibs opened 1 year ago

jleibs commented 1 year ago

Pull requests currently fail when submitted by external contributors because they are run without our secrets. The build part is fine, but the upload steps end up failing.

This is generally a good thing not to leak our credentials to external contributors, but it's a bit annoying since it would be nice to end up with sample html results, etc. from CI.

I started working on a proof-of-concept to allow this via pull_request_target: https://github.com/rerun-io/rerun/pull/1991

However, there are some unresolved security implications of that approach. We need to do more thinking and probably introduce more granular gcloud permissions to do this safely.

jleibs commented 1 year ago

This seems like a worthwhile read: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

jleibs commented 1 year ago

Specifically our solution should likely look like: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#using-data-from-the-triggering-workflow

jprochazk commented 1 year ago

We can now run contributor PRs through our CI safely: https://github.com/rerun-io/rerun/pull/3557/checks

Remaining work:

[ ] Clean up pull request template
- No need for PR summary, web demo link, etc. if the contributor won't be able to use it

jleibs commented 11 months ago

@jprochazk what has to happen to make the contributor template different?

jprochazk commented 11 months ago

We have a script that runs for every PR create/update that edits the PR body, we should:

Change the default template to be clean for external contributors
Use the script to update the body for rerun-io contributors only, adding all the links we usually expect

emilk commented 4 months ago

We've now seen one malicious (and failed) attempt at stealing our GitHub token: https://github.com/rerun-io/rerun/pull/6736.

We believe the GitHub action permission system is not granular enough to have both security, power, and easy 3rd party PRs. So we need to move off GitHub actions.

emilk commented 3 months ago

Two problems on the current contributor PR:

lychee link checker isn't run
pixi run -e wheel-test py-test fails:

https://github.com/rerun-io/rerun/actions/runs/9928447006/job/27424762059?pr=6853