Github Actions can provision infra, deploy apps, create releases, access secrets, etc. Since anyone with write access could create an Action Workflow in a repo, we want to demonstrate examples of how to harden and secure workflows. Most of the examples listed here are based on the documentation for security-hardening-for-github-actions
These are the topics that are covered in this repo:
- Hardening of GitHub Actions Workflows
- Protecting workflow runs and secrets using Environments
- Setting Enviroment protection rules and required approvers
- Preventing unauthorized workflow runs
- Organization or Enterprise level workflows
- Svanboxel Organization Workflows
- Auditing Workflow Run Events
- Using a workflow template from your organization
This is documented here
This is documented here
In this reference, we have a branch add-colors and there is a workflow that has 2 jobs:
builddeploy-staging
deploy-staging requires approval before deploying to stage
The required reviewer is notified when their approval is needed:
Once they approve, the workflow runs 🎉 and the approval is audited:
This is acheived using a custom GitHub App. The key things to keep in mind are:
- There is webhook that gets triggered: Workflow run webhook
- The Webhook handler/Github App can listen to workflow run and cancel authorized runs API to cancel a workflow run
- The Webhook handler/Github App can listen to workflow run and disable an authorized workflow API to disable a workflow
Example Probot App to cancel a workflow run and disable a workflow:
/**
* This is the main entrypoint to your Probot app
* @param {import('probot').Application} app
*/
module.exports = app => {
// Your code here
app.log('Yay, the app was loaded!')
app.on(['workflow_run.requested'], async context => {
//app.log(`Workflow Run was requested! for ${JSON.stringify(context.payload)}`)
let result=Math.random();
if (result<9) {
app.log(` deleting since result is ${result}`)
cancelWorkflow(context);
disableWorkflow(context)
} else {
app.log(`Not deleting since result is ${result}`)
}
return true;
})
async function cancelWorkflow(context) {
try {
await context.octokit.rest.actions.cancelWorkflowRun({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
run_id: context.payload.workflow_run.id,
});
} catch (error) {
app.log(error)
}
}
async function disableWorkflow(context) {
try {
await context.octokit.rest.actions.disableWorkflow({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
workflow_id: context.payload.workflow_run.workflow_id,
});
} catch (error) {
app.log(error)
}
}
// For more information on building apps:
// https://probot.github.io/docs/
// To get your app running against GitHub, see:
// https://probot.github.io/docs/development/
}This is a feature that is in the roadmap but is targeted for a not-yet-defined future date. This would enable you to define a workflow that is run against multiple repositories in an Org or enterprise. This feature is designed to give you the ability to define workflows that must be run in your organization or enterprise. For example, you could define a workflow to scan for secrets, licenses, and more. You'll be able to define a workflow at the organization or at the enterprise level. You can choose to run the workflow in all repositories or a subset of repositories.
This GitHub app allows you to run GitHub Actions workflows across multiple repositories, which is not yet natively supported. This app helps you - for example - to create a single workflow definition that is used for linting, compliance checks, and more.
https://github.com/SvanBoxel/organization-workflows
The Audit Log now includes events associated with GitHub Actions workflow runs. This data provides enterprise customers with a greatly expanded data set for security and compliance audits.blog
Various possible options for searching the audit log is explained here at Reviewing the audit log for your organization
In that location above, you can find information on accessing the Audit Log at https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log
For Workflow events, you can use the actions parameter to filter. Please see the screenshot below:
In that location above, you can find information on exporting the Audit Log at https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log
In that location above, you can find information on using Audit Log API at https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api
For Workflow events, you can use the phrase with the action parameter to filter. For example, the followinf query https://api.github.com/organizations/65230155/audit-log?phrase=action:worflows will produce the result as shown below:
This is documented here
.github repository.