Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ci): move untrusted gh context to envvar #9366

Merged
merged 1 commit into from
May 15, 2024
Merged

fix(ci): move untrusted gh context to envvar #9366

merged 1 commit into from
May 15, 2024

Conversation

raphdev
Copy link
Contributor

@raphdev raphdev commented May 14, 2024
edited
Loading

Mergify workflow directly interpolates elements from GitHub context. While currently there's no significant security implication, we do the recommended practice of storing them in intermediate environment variables.

@raphdev raphdev requested review from mhofman, michaelfig and LuqiPan May 14, 2024 20:32
@raphdev raphdev force-pushed the raph/gh-context-env branch from 2c397c8 to c107523 Compare May 14, 2024 20:40
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented May 14, 2024
edited
Loading

Deploying agoric-sdk with  Cloudflare Pages  Cloudflare Pages

Latest commit: 58fc32e
Status: ✅  Deploy successful!
Preview URL: https://2f3f2b39.agoric-sdk.pages.dev
Branch Preview URL: https://raph-gh-context-env.agoric-sdk.pages.dev

View logs

LuqiPan
LuqiPan approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@LuqiPan LuqiPan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for fixing this.

I also verified that the output of semgrep --config "p/github-actions" is clean.

michaelfig
michaelfig reviewed May 14, 2024
View reviewed changes
Copy link
Member

@michaelfig michaelfig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe @LuqiPan would know better, but can we search for all attempts to quote template expansion?

fgrep -r '"${{' .github
fgrep -r "'\${{" .github

@LuqiPan
Copy link
Contributor

LuqiPan commented May 14, 2024

Maybe @LuqiPan would know better, but can we search for all attempts to quote template expansion?

I've confirmed that this PR will fix all culprits in agoric-sdk repo. I'll start a separate investigation across all of our github organizations.

@raphdev raphdev added the automerge:rebase Automatically rebase updates, then merge label May 15, 2024
@raphdev raphdev force-pushed the raph/gh-context-env branch from c107523 to 58fc32e Compare May 15, 2024 19:55
@mergify mergify bot merged commit c56324b into master May 15, 2024
63 checks passed
@mergify mergify bot deleted the raph/gh-context-env branch May 15, 2024 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LuqiPan LuqiPan LuqiPan approved these changes

@michaelfig michaelfig michaelfig approved these changes

@mhofman mhofman mhofman approved these changes

Assignees
No one assigned
Labels
automerge:rebase Automatically rebase updates, then merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@raphdev @LuqiPan @mhofman @michaelfig