Skip to content

decyjphr-org/secure-actions-demo

Repository files navigation

Hardening of GitHub Actions Workflows

CI

Github Actions can provision infra, deploy apps, create releases, access secrets, etc. Since anyone with write access could create an Action Workflow in a repo, we want to demonstrate examples of how to harden and secure workflows. Most of the examples listed here are based on the documentation for security-hardening-for-github-actions

These are the topics that are covered in this repo:

Protecting workflow runs and secrets using Environments

This is documented here

Setting Enviroment protection rules and required approvers

This is documented here

In this reference, we have a branch add-colors and there is a workflow that has 2 jobs:

  1. build
  2. deploy-staging

deploy-staging requires approval before deploying to stage

image

The required reviewer is notified when their approval is needed:

image

Once they approve, the workflow runs 🎉 and the approval is audited:

image

Preventing unauthorized workflow runs

This is acheived using a custom GitHub App. The key things to keep in mind are:

  1. There is webhook that gets triggered: Workflow run webhook
  2. The Webhook handler/Github App can listen to workflow run and cancel authorized runs API to cancel a workflow run
  3. The Webhook handler/Github App can listen to workflow run and disable an authorized workflow API to disable a workflow

Example Probot App to cancel a workflow run and disable a workflow:

/**
 * This is the main entrypoint to your Probot app
 * @param {import('probot').Application} app
 */

module.exports = app => {
  // Your code here
  app.log('Yay, the app was loaded!')

  app.on(['workflow_run.requested'], async context => {
    //app.log(`Workflow Run was requested! for  ${JSON.stringify(context.payload)}`)
    let result=Math.random();
    if (result<9) {
      app.log(` deleting since result is ${result}`)
      cancelWorkflow(context);
      disableWorkflow(context)
    } else {
      app.log(`Not deleting since result is ${result}`)
    }
    return true;
  })

  async function cancelWorkflow(context) {
    try {
      await context.octokit.rest.actions.cancelWorkflowRun({
        owner: context.payload.repository.owner.login,
        repo: context.payload.repository.name,
        run_id: context.payload.workflow_run.id,
      });     
    } catch (error) {
      app.log(error)
    }
  }

  async function disableWorkflow(context) {
    try {
      await context.octokit.rest.actions.disableWorkflow({
        owner: context.payload.repository.owner.login,
        repo: context.payload.repository.name,
        workflow_id: context.payload.workflow_run.workflow_id,
      });     
    } catch (error) {
      app.log(error)
    }
  }

  // For more information on building apps:
  // https://probot.github.io/docs/

  // To get your app running against GitHub, see:
  // https://probot.github.io/docs/development/
}

Organization or Enterprise level workflows

This is a feature that is in the roadmap but is targeted for a not-yet-defined future date. This would enable you to define a workflow that is run against multiple repositories in an Org or enterprise. This feature is designed to give you the ability to define workflows that must be run in your organization or enterprise. For example, you could define a workflow to scan for secrets, licenses, and more. You'll be able to define a workflow at the organization or at the enterprise level. You can choose to run the workflow in all repositories or a subset of repositories.

Svanboxel Organization Workflows

This GitHub app allows you to run GitHub Actions workflows across multiple repositories, which is not yet natively supported. This app helps you - for example - to create a single workflow definition that is used for linting, compliance checks, and more.

https://github.com/SvanBoxel/organization-workflows

Auditing Workflow Run Events

The Audit Log now includes events associated with GitHub Actions workflow runs. This data provides enterprise customers with a greatly expanded data set for security and compliance audits.blog

Various possible options for searching the audit log is explained here at Reviewing the audit log for your organization

Viewing Workflow events in the UI

In that location above, you can find information on accessing the Audit Log at https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#accessing-the-audit-log

For Workflow events, you can use the actions parameter to filter. Please see the screenshot below:

image

Exporting the Audit Log

In that location above, you can find information on exporting the Audit Log at https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log

Using Audit Log API

In that location above, you can find information on using Audit Log API at https://docs.github.com/en/github/setting-up-and-managing-organizations-and-teams/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api For Workflow events, you can use the phrase with the action parameter to filter. For example, the followinf query https://api.github.com/organizations/65230155/audit-log?phrase=action:worflows will produce the result as shown below:

image

Using a workflow template from your organization

This is documented here

⚠️ We don't recommend this because this requires public visibility for your .github repository.