potiuk opened a new pull request #13389: URL: https://github.com/apache/airflow/pull/13389
This PR disables persisting credentials in Github Actions checkout. This is a result of discussion in [email protected] https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E It turns out that contrary to the documentation actios (specifically checkout action) can use GITHUB_TOKEN without specifying it as input in the yaml file and the GitHub checkout action leaves the repository with credentials stored locally that enable pushing to Github Repository by any step in the same job. This was thought to be forbidden initially (and the documentation clearly says that the action must have the GITHUB_TOKEN passed to it in .yaml workflow in order to use it). But apparently it behaves differently. This leaves open an attack vector where for example any PIP package installed in the following steps could push any changes to GitHub Repository of Apache Airflow. Security incidents have been reported to both GitHub and Apache Security team, but in the meantime we add configuration to remove credentials after checkout step. https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow > Using the GITHUB_TOKEN in a workflow > To use the GITHUB_TOKEN secret, you *must* reference it in your workflow file. Using a token might include passing the token as an input to an action that requires it, or making authenticated GitHub API calls. <!-- Thank you for contributing! Please make sure that your code changes are covered with tests. And in case of new features or big changes remember to adjust the documentation. Feel free to ping committers for the review! In case of existing issue, reference it using one of the following: closes: #ISSUE related: #ISSUE How to write a good git commit message: http://chris.beams.io/posts/git-commit/ --> --- **^ Add meaningful description above** Read the **[Pull Request Guidelines](https://github.com/apache/airflow/blob/master/CONTRIBUTING.rst#pull-request-guidelines)** for more information. In case of fundamental code change, Airflow Improvement Proposal ([AIP](https://cwiki.apache.org/confluence/display/AIRFLOW/Airflow+Improvements+Proposals)) is needed. In case of a new dependency, check compliance with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x). In case of backwards incompatible changes please leave a note in [UPDATING.md](https://github.com/apache/airflow/blob/master/UPDATING.md). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
