Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(github-workflows): use official GitHub action for token generation #419

Merged
merged 3 commits into from
Dec 11, 2024
Merged

fix(github-workflows): use official GitHub action for token generation #419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
964ffb5
fix(github-workflows): use official GitHub action for token generation
bthuilot Dec 10, 2024
7478c28
Merge branch 'master' into bryce.thuiilot/vuln-9301
jack-edmonds-dd Dec 11, 2024
3fde6e3
Merge branch 'master' into bryce.thuiilot/vuln-9301
jack-edmonds-dd Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/approved_status.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Send PR Approval Status

permissions:
permissions:
contents: read
pull-requests: write

Expand All @@ -25,13 +25,13 @@ jobs:
steps:
- name: Get GitHub App token
id: get_token
uses: tibdex/github-app-token@v1
uses: actions/create-github-app-token@v1
bthuilot marked this conversation as resolved.
Show resolved Hide resolved
with:
app_id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private_key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
repository: DataDog/datadog-api-spec
- name: Post PR review status check
uses: DataDog/github-actions/post-review-status@v2
with:
github-token: ${{ steps.get_token.outputs.token }}
repo: datadog-api-spec
repo: datadog-api-spec
8 changes: 4 additions & 4 deletions .github/workflows/prepare_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ jobs:
steps:
- name: Get GitHub App token
id: get_token
uses: tibdex/github-app-token@v1
uses: actions/create-github-app-token@v1
bthuilot marked this conversation as resolved.
Show resolved Hide resolved
with:
app_id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private_key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
- uses: actions/checkout@v3

- name: Setup Git
Expand Down Expand Up @@ -114,4 +114,4 @@ jobs:
owner: context.repo.owner,
repo: context.repo.repo,
labels: ["changelog/no-changelog"],
});
});
8 changes: 4 additions & 4 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@ jobs:
steps:
- name: Get GitHub App token
id: get_token
uses: tibdex/github-app-token@v1
uses: actions/create-github-app-token@v1
bthuilot marked this conversation as resolved.
Show resolved Hide resolved
with:
app_id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private_key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
- name: Create release
uses: actions/github-script@v6
env:
Expand All @@ -41,4 +41,4 @@ jobs:
repo: context.repo.repo,
generate_release_notes: true,
tag_name: tagName,
});
});
14 changes: 7 additions & 7 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Run Tests

permissions:
permissions:
contents: read

env:
Expand Down Expand Up @@ -30,10 +30,10 @@ jobs:
- name: Get GitHub App token
if: github.event_name == 'pull_request'
id: get_token
uses: tibdex/github-app-token@v2.1.0
uses: actions/create-github-app-token@v1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

with:
app_id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private_key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
installation_retrieval_mode: repository
installation_retrieval_payload: DataDog/datadog-api-spec
- uses: actions/checkout@v3
Expand Down Expand Up @@ -115,10 +115,10 @@ jobs:
- name: Get GitHub App token
if: github.event_name == 'pull_request'
id: get_token
uses: tibdex/github-app-token@v2.1.0
uses: actions/create-github-app-token@v1
bthuilot marked this conversation as resolved.
Show resolved Hide resolved
with:
app_id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private_key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
installation_retrieval_mode: repository
installation_retrieval_payload: DataDog/datadog-api-spec
- name: Post status check
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/test_integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,10 +44,10 @@ jobs:
- name: Get GitHub App token
if: github.event_name == 'pull_request'
id: get_token
uses: tibdex/github-app-token@v2.1.0
uses: actions/create-github-app-token@v1
bthuilot marked this conversation as resolved.
Show resolved Hide resolved
with:
app_id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private_key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
app-id: ${{ secrets.PIPELINE_GITHUB_APP_ID }}
private-key: ${{ secrets.PIPELINE_GITHUB_APP_PRIVATE_KEY }}
installation_retrieval_mode: repository
installation_retrieval_payload: DataDog/datadog-api-spec
- name: Checkout code
Expand Down Expand Up @@ -92,4 +92,4 @@ jobs:
github-token: ${{ steps.get_token.outputs.token }}
repo: datadog-api-spec
status: success
context: integration
context: integration
Loading