fix: pin 2 unpinned action(s),extract 6 unsafe expression(s) to env vars#126532
fix: pin 2 unpinned action(s),extract 6 unsafe expression(s) to env vars#126532dagecko wants to merge 1 commit intodotnet:mainfrom
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .github/workflows/backport.yml | 2 +- .github/workflows/breaking-change-doc.lock.yml | 6 ++++-- .github/workflows/code-review.lock.yml | 6 ++++-- .github/workflows/copilot-echo.lock.yml | 6 ++++-- .github/workflows/inter-branch-merge-flow.yml | 2 +- 5 files changed, 14 insertions(+), 8 deletions(-)
dotnet-policy-service
bot
added
the
community-contribution
|
Tagging subscribers to this area: @dotnet/runtime-infrastructure |
|
@dotnet-policy-service agree [company="Vigilant"] |
|
@dotnet-policy-service agree |
| backport: | ||
| if: ${{ contains(github.event.comment.body, '/backport to') || github.event_name == 'schedule' }} | ||
| uses: dotnet/arcade/.github/workflows/backport-base.yml@main | ||
| uses: dotnet/arcade/.github/workflows/backport-base.yml@a27cb13c8355fd3711a66e8c0d4f71e76dafaa18 # main |
There was a problem hiding this comment.
this intentionally doesn't use pinning since we fully control the dotnet/arcade repository and always want to consume the latest version
| # Re-authenticate git with GitHub token | ||
| SERVER_URL_STRIPPED="${SERVER_URL#https://}" | ||
| git remote set-url origin "https://x-access-token:${{ github.token }}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" | ||
| git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@${SERVER_URL_STRIPPED}/${REPO_NAME}.git" |
There was a problem hiding this comment.
this is generated code by GitHub Agentic Workflows and shouldn't be touched, please send a PR to fix this upstream. looks like this happens in https://github.com/github/gh-aw/blob/main/pkg/workflow/git_configuration_steps.go#L48
| jobs: | ||
| Merge: | ||
| uses: dotnet/arcade/.github/workflows/inter-branch-merge-base.yml@main No newline at end of file | ||
| uses: dotnet/arcade/.github/workflows/inter-branch-merge-base.yml@a27cb13c8355fd3711a66e8c0d4f71e76dafaa18 # main No newline at end of file |
|
Thanks. I'd be interested to learn more about the findings in bump-chrome-version.yml and labeler-predict-pulls.yml |
|
Thanks for asking @akoeplinger. bump-chrome-version.yml was flagged because labeler-predict-pulls.yml was flagged for Neither of these are critical and your team has clearly thought through the security model on these workflows. They were included as informational findings for your review, not as issues requiring immediate action. That said the pinning and permissions changes in this PR are the most important piece. I've been watching a nation state actor target maintainers of high profile open source projects for the last 5 weeks and have been working on hardening these projects before they're hit. The SHA pins in this PR ensure that even if a maintainer account is compromised the pinned commits cannot be silently replaced. Chris |
|
Thanks @akoeplinger. backport.yml understood. From what I've seen both across other repos and the actual attacks over the last 5 weeks I would recommend keeping the pin but it's up to you. Let me know what you'd like and I can make the change. breaking-change-doc.lock.yml and inter-branch-merge-flow.yml I actually found this in another repo as well and already scanned gh-aw. Found 33 findings there. I'll get a PR submitted upstream to fix it at the source. Chris |
2 participants
Summary
This PR hardens your CI/CD workflows against supply chain attacks by pinning GitHub Actions to immutable commit SHAs and extracting unsafe expressions from
run:blocks intoenv:mappings.Fixes applied (in this PR)
backport.ymlbreaking-change-doc.lock.ymlcode-review.lock.ymlcopilot-echo.lock.ymlinter-branch-merge-flow.ymlAdvisory: additional findings (manual review recommended)
breaking-change-doc.lock.ymlbreaking-change-doc.lock.ymlbump-chrome-version.ymllabeler-predict-pulls.ymlWhy this PR
I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since, where attackers compromise maintainer accounts and force-push malicious code to mutable action tags - every downstream project referencing those tags then executes the attacker's code with full access to secrets and deployment credentials.
You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.
How to verify
Every change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3- original version preserved as comment${{ expr }}inrun:moves toenv:block, referenced as"${ENV_VAR}"in the scriptI've had 22 merges so far. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.
Happy to answer any questions - I'm monitoring comms on every PR.
- Chris Nyhuis (dagecko)