diogoteles08 commented on issue #27470: URL: https://github.com/apache/beam/issues/27470#issuecomment-1734153394
Hey! This issue/PR has been idle for quite some time. I'm following up here because this issue is still valid and it's considerably dangerous. Trying to summarize my (extensive) original issue, the main concerns are: 1. the [beam_PreCommit_Go.yml](https://github.com/apache/beam/blob/master/.github/workflows/beam_PreCommit_Go.yml) file can possibly be abused to leak the ` secrets.GE_CACHE_PASSWORD` secret and the others listed on [this code section](https://github.com/apache/beam/blob/master/.github/workflows/beam_PreCommit_Go.yml#L54). The workflow triggered by `pull_request_target` is run on the code of the PRs, and the script run on [this line](https://github.com/apache/beam/blob/master/.github/workflows/beam_PreCommit_Go.yml#L76) can be altered to print the secrets, that are inserted as ENV variables. 2. The [build_runner_image.yml](https://github.com/apache/beam/blob/master/.github/workflows/build_runner_image.yml) can possibly be abused to push a malicious docker image to the registry `apache-beam-testing/beam-github-actions/beam-arc-runner` . When triggered by `pull_request_target`, the workflow would run on the code of the malicious PR who triggered it, which could alter the code of the docker file that is built and pushed around these [lines of code](https://github.com/apache/beam/blob/master/.github/workflows/build_runner_image.yml#L55). In general, both cases fit into the patterns named as [Dangerous Workflow](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) by Scorecard, which exposes this as a Critical risk, the most critical between the Scorecard checks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
