search

sethvargo / ratchet

A tool for securing CI/CD workflows with version pinning.
Apache License 2.0
771 stars 32 forks source link

Full example for handling Dependabot updates with GitHub Action workflows and ratchet #34

Closed artis3n closed 2 years ago

artis3n commented 2 years ago

TL;DR

Include an example on the README under the CI/CD workflows section of a plug-and-playable workflow to enable ratchet updates to run when Dependabot creates a PR to bump the version of something in an Actions workflow file.

Detailed design

I'm going to spend more time on it later, but following the general process from https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#common-dependabot-automations, I have the workflow file below. My goal is to have a job such that when Dependabot opens a PR due to a new release of any of the Actions I'm referencing in any of my workflows, ratchet will run to update the pinned comment and the workflow will commit that change to the Dependabot PR.

Here's what I started with:

name: Supply Chain Security

on:
  pull_request:
    branches:
      - main

permissions:
  pull-requests: write

jobs:
  # TODO: Only update files if `ratchet check` fails - or otherwise we'll enter infinite loop of triggering this job
  # TODO: Commit changes back to current PR - likely with https://github.com/actions/github-script
  ratchet:
    runs-on: ubuntu-latest
    if: ${{ github.actor == 'dependabot[bot]' }}
    strategy:
      matrix:
        file:
          - .github/workflows/ci.yml
          - .github/workflows/supply_chain.yml
    steps:
      - uses: actions/checkout@v3

      - name: Check if workflows have been updated
        id: ratchet-checks
        uses: docker://ghcr.io/sethvargo/ratchet:0.2.3
        with:
          args: "check ${{ matrix.file }}"

      - name: Update Ratchet pins
        # if: ${{ ratchet-checks exit codes are both 0, have to see how the id output is formed }}
        uses: docker://ghcr.io/sethvargo/ratchet:0.2.3
        with:
          args: "update ${{ matrix.file }}"

Additional information

I'll tinker again with this in a couple weeks and get a workflow going but figured I'd throw this out in the meantime.

sethvargo commented 2 years ago

I'm not sure I understand the goal here. Dependabot is something antithetical to Ratchet's goals. Dependabot says "give me all the latest software versions" and Ratchet says "keep me pinned to this specific version which I have audited and reviewed".

Using Dependabot with Ratchet only protects you in a very narrow security scenario: in which a malicious actor has permissions to overwrite an existing tag but not permissions to create a new tag. It's my understanding that GitHub's model makes this relatively impossible; in fact, it's much easier to protect existing tags with tag protection rules than it is to prevent the creation of new tags.

To summarize: I don't think dependabot is a good idea for GitHub Actions if you care about security. Therefore I'm not in favor of showcasing this use case. I hope you understand, and please let me know if you have any questions.

artis3n commented 2 years ago

I don't necessarily agree with the line of reasoning but totally understand that's not what you want ratchet supporting. No problem!