Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Split validations to required (stopping release) and optional (not stopping the release) #101

Merged
merged 5 commits into from
Jul 23, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 40 additions & 8 deletions .github/workflows/release-spec-prod.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,8 @@ on:
permissions:
contents: write
jobs:
run-validations:
# Required validations will stop the release if they fail
run-required-validations:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
Expand All @@ -15,12 +16,14 @@ jobs:
env:
SPECTRAL_VERSION: ${{ vars.SPECTRAL_VERSION }}
run: npx -- @stoplight/spectral-cli@"${SPECTRAL_VERSION}" lint ./tools/cli/test/data/openapi-foas*.{yml,yaml} --ruleset=.spectral.yaml # we will update this to lint the FOAS in CLOUDP-263186
- name: Validate the FOAS can be used to generate Postman collection
run: |
cp -rf "./tools/cli/test/data/openapi-foas-dev.json" "./tools/postman/openapi/atlas-api.json"
pushd tools/postman
make convert_to_collection
popd
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: "(PROD) Required Spectral validation failed :scream_cat:"
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
token: ${{ secrets.API_BOT_PAT }}
- name: Install Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
with:
Expand All @@ -36,4 +39,33 @@ jobs:
cp -rf "./tools/cli/test/data/openapi-foas-dev.yaml" "atlas-sdk-go/openapi/atlas-sdk.yaml"
pushd atlas-sdk-go
make -e openapi-pipeline

popd
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: "(PROD) Required GO SDK validation failed :scream_cat:"
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
token: ${{ secrets.API_BOT_PAT }}

# Optional validations won't stop the release but only open a GH issue if they fail
run-optional-validations:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(interest piqued) do we normally pin these actions versions?
Any particular reason?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security team recommended using a specific SHA version for actions to prevent the risk of using a maliciously modified action. For GitHub actions like actions/checkout, this isn’t necessary because they are considered secure. However, I copied and pasted from another action xD

Based on The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree (paloaltonetworks.com)

How to Protect Your Workflows and Assets
Multiple security controls can prevent or raise the difficulty of successfully attacking repositories using the worm. In order of effectiveness, controls include:

  • Set GITHUB_TOKEN and PAT contents permission to the minimum required — with special attention to reducing write permissions against the repository — to prevent infection by the worm. Consider using GitHub’s actions-permissions project to reduce workflow permissions. In general, implement strict PBAC (Pipeline-Based Access Controls) to make sure the workflow is granted with the least privileges and access it needs to fulfill its purpose.
  • Configure branch and tag protection to further prevent infection and protect the codebase.
  • Monitor and limit outbound network connections from workflow runners to prevent the download of malicious code into pipelines and prevent malware from reporting to C2 servers.
  • Pin actions using a commit hash to reduce the risk of using a maliciously modified action.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
@Luke-Sanderson could you double-check to make sure any actions introduced for Postman have pinned versions?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was using the version tag rather than commit hash. I assume this has the same security implications? I chose to use the version tag because that was used in the Go-SDK

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the secrets exfiltrated in the flow to infect the repository with malicious code. Overwriting a commit while keeping its hash the same isn’t possible, so we can’t abuse a commit hash reference. We still have two options:

  • Infecting by pushing code to a branch: We can use the GITHUB_TOKEN or PAT used in a job to push malicious code to a branch if the token is granted with the contents:write permission.
  • Infecting by creating a tag: We can use the GITHUB_TOKEN or PAT used in a job to create a malicious tag or override an existing tag to infect dependent repositories referencing the action by a tag.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay makes sense. I have only used actions/checkout and actions/cache so far but I'll keep that in mind if I use any external actions in the future.

- name: Validate the FOAS can be used to generate Postman collection
run: |
cp -rf "./tools/cli/test/data/openapi-foas-dev.json" "./tools/postman/openapi/atlas-api.json"
pushd tools/postman
make convert_to_collection
popd
- name: Create Issue
if: ${{ failure() }}
uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
with:
labels: failed-release
title: "(PROD) Optional Postman validation failed :scream_cat:"
body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
token: ${{ secrets.API_BOT_PAT }}
Loading