This is an automated email from the ASF dual-hosted git repository. kaxilnaik pushed a commit to branch v1-10-test in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 52d0f57e3142207973d4f369fb4a8dc2d2f76aaf Author: Jarek Potiuk <[email protected]> AuthorDate: Wed Dec 30 14:25:29 2020 +0100 Disable persisting credentials in Github Action's checkout (#13389) This PR disables persisting credentials in Github Actions checkout. This is a result of discussion in [email protected] https://lists.apache.org/thread.html/r435c45dfc28ec74e28314aa9db8a216a2b45ff7f27b15932035d3f65%40%3Cbuilds.apache.org%3E It turns out that contrary to the documentation actios (specifically checkout action) can use GITHUB_TOKEN without specifying it as input in the yaml file and the GitHub checkout action leaves the repository with credentials stored locally that enable pushing to Github Repository by any step in the same job. This was thought to be forbidden initially (and the documentation clearly says that the action must have the GITHUB_TOKEN passed to it in .yaml workflow in order to use it). But apparently it behaves differently. This leaves open an attack vector where for example any PIP package installed in the following steps could push any changes to GitHub Repository of Apache Airflow. Security incidents have been reported to both GitHub and Apache Security team, but in the meantime we add configuration to remove credentials after checkout step. https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow > Using the GITHUB_TOKEN in a workflow > To use the GITHUB_TOKEN secret, you *must* reference it in your workflow file. Using a token might include passing the token as an input to an action that requires it, or making authenticated GitHub API calls. (cherry picked from commit d079b913d283378dca37dc9ea25b04186d3e326c) --- .github/workflows/build-images-workflow-run.yml | 7 ++++ .github/workflows/ci.yml | 41 +++++++++++++++++++++- .github/workflows/codeql-analysis.yml | 2 ++ .../workflows/label_when_reviewed_workflow_run.yml | 5 +++ .github/workflows/scheduled_quarantined.yml | 2 ++ 5 files changed, 56 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-images-workflow-run.yml b/.github/workflows/build-images-workflow-run.yml index 778ff54..bed5dfc 100644 --- a/.github/workflows/build-images-workflow-run.yml +++ b/.github/workflows/build-images-workflow-run.yml @@ -207,6 +207,8 @@ jobs: if: needs.cancel-workflow-runs.outputs.sourceEvent == 'pull_request' - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: > Event: ${{ needs.cancel-workflow-runs.outputs.sourceEvent }} Repo: ${{ needs.cancel-workflow-runs.outputs.sourceHeadRepo }} @@ -224,10 +226,13 @@ jobs: with: ref: ${{ needs.cancel-workflow-runs.outputs.targetCommitSha }} fetch-depth: 2 + persist-credentials: false if: needs.cancel-workflow-runs.outputs.sourceEvent == 'pull_request' # checkout the master version again, to use the right script in master workflow - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: Selective checks id: selective-checks env: @@ -279,6 +284,7 @@ jobs: uses: actions/checkout@v2 with: ref: ${{ needs.cancel-workflow-runs.outputs.targetCommitSha }} + persist-credentials: false - name: "Retrieve DEFAULTS from the _initialization.sh" # We cannot "source" the script here because that would be a security problem (we cannot run # any code that comes from the sources coming from the PR. Therefore we extract the @@ -323,6 +329,7 @@ jobs: with: path: "main-airflow" ref: "${{ needs.cancel-workflow-runs.outputs.targetBranch }}" + persist-credentials: false if: steps.defaults.outputs.proceed == 'true' - name: "Setup python" uses: actions/setup-python@v2 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7902f6c..728dfb0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -105,6 +105,8 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: > Event: ${{ github.event_name }} Repo: ${{ steps.source-run-info.outputs.sourceHeadRepo }} @@ -126,6 +128,7 @@ jobs: with: ref: ${{ github.sha }} fetch-depth: 2 + persist-credentials: false if: github.event_name == 'pull_request' - name: Selective checks id: selective-checks @@ -155,6 +158,8 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 if: needs.build-info.outputs.waitForImage == 'true' + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -192,6 +197,8 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 if: needs.build-info.outputs.waitForImage == 'true' + with: + persist-credentials: false - name: "Free space" run: ./scripts/ci/tools/ci_free_space_on_ci.sh if: needs.build-info.outputs.waitForImage == 'true' @@ -207,13 +214,15 @@ jobs: runs-on: ubuntu-20.04 needs: [build-info, ci-images] env: - SKIP: "pylint,identity" + SKIP: "identity" MOUNT_LOCAL_SOURCES: "true" PYTHON_MAJOR_MINOR_VERSION: ${{needs.build-info.outputs.defaultPythonVersion}} if: needs.build-info.outputs.basic-checks-only == 'false' steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -250,6 +259,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -267,6 +278,7 @@ jobs: with: ref: ${{ github.sha }} fetch-depth: 2 + persist-credentials: false - name: "Static checks: basic checks only" run: | ./scripts/ci/static_checks/run_basic_static_checks.sh "${{ github.sha }}" @@ -282,6 +294,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Prepare CI image ${{env.PYTHON_MAJOR_MINOR_VERSION}}:${{ env.GITHUB_REGISTRY_PULL_IMAGE_TAG }}" run: ./scripts/ci/images/ci_prepare_ci_image_on_ci.sh - name: "Build docs" @@ -311,6 +325,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -367,6 +383,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -422,6 +440,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -474,6 +494,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -531,6 +553,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -618,6 +642,8 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 if: needs.build-info.outputs.waitForImage == 'true' + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -649,6 +675,8 @@ jobs: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 if: needs.build-info.outputs.waitForImage == 'true' + with: + persist-credentials: false - name: "Free space" run: ./scripts/ci/tools/ci_free_space_on_ci.sh if: needs.build-info.outputs.waitForImage == 'true' @@ -683,6 +711,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -762,6 +792,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -800,6 +832,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -830,6 +864,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Setup python" uses: actions/setup-python@v2 with: @@ -867,6 +903,8 @@ jobs: steps: - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: "Set constraints branch name" id: constraints-branch run: ./scripts/ci/constraints/ci_branch_constraints.sh @@ -875,6 +913,7 @@ jobs: with: path: "repo" ref: ${{ steps.constraints-branch.outputs.branch }} + persist-credentials: false - name: "Get all artifacts (constraints)" uses: actions/download-artifact@v2 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 9fa7b94..8bdd809 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -36,6 +36,7 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 2 + persist-credentials: false - name: Selective checks id: selective-checks env: @@ -68,6 +69,7 @@ jobs: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false if: | matrix.language == 'python' && needs.selective-checks.outputs.needs-python-scans == 'true' || matrix.language == 'javascript' && needs.selective-checks.outputs.needs-javascript-scans == 'true' diff --git a/.github/workflows/label_when_reviewed_workflow_run.yml b/.github/workflows/label_when_reviewed_workflow_run.yml index d66472b..4400bae 100644 --- a/.github/workflows/label_when_reviewed_workflow_run.yml +++ b/.github/workflows/label_when_reviewed_workflow_run.yml @@ -51,6 +51,8 @@ jobs: "} - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: > Event: ${{ steps.source-run-info.outputs.sourceEvent }} Repo: ${{ steps.source-run-info.outputs.sourceHeadRepo }} @@ -68,9 +70,12 @@ jobs: with: ref: ${{ steps.source-run-info.outputs.targetCommitSha }} fetch-depth: 2 + persist-credentials: false # checkout the master version again, to use the right script in master workflow - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 + with: + persist-credentials: false - name: Selective checks id: selective-checks env: diff --git a/.github/workflows/scheduled_quarantined.yml b/.github/workflows/scheduled_quarantined.yml index 9877e4c..3071693 100644 --- a/.github/workflows/scheduled_quarantined.yml +++ b/.github/workflows/scheduled_quarantined.yml @@ -79,6 +79,8 @@ jobs: needs.trigger-tests.outputs.run-tests == 'true' || github.event_name != 'pull_request' steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 with: python-version: '3.7'
