Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use zizmor to audit github actions #1775

Open
notmandatory opened this issue Dec 14, 2024 · 0 comments · May be fixed by #1778
Open

Use zizmor to audit github actions #1775

notmandatory opened this issue Dec 14, 2024 · 0 comments · May be fixed by #1778
Assignees
@oleonardolima
Labels
ci
Milestone
1.1.0

Comments

@notmandatory
Copy link
Member

Describe the enhancement

We should audit github actions to make sure an attacker can't publish compromised bdk-ffi binaries.

see: https://discord.com/channels/753336465005608961/754077749282471937/1317184034010435625

Use case

See documentation for zizmor.

Additional context

This auditing should also be done on other bitcoindevkit org repos. In particular bdk-ffi, see: bitcoindevkit/bdk-ffi#638.
@notmandatory notmandatory added this to BDK Dec 14, 2024
@notmandatory notmandatory moved this to Todo in BDK Dec 14, 2024
@oleonardolima oleonardolima self-assigned this Dec 14, 2024
@oleonardolima oleonardolima linked a pull request Dec 16, 2024 that will close this issue
Open
3 tasks
@notmandatory notmandatory moved this from Todo to In Progress in BDK Dec 18, 2024
@notmandatory notmandatory mentioned this issue Dec 18, 2024
Open
@notmandatory notmandatory added this to the 1.1.0 milestone Jan 28, 2025
notmandatory added a commit to notmandatory/bdk that referenced this issue Jan 28, 2025
@notmandatory
Merge bitcoindevkit#1778: ci: apply zizmor security audit
763c696 
94daa75 fix(ci): do not persist credentials (Leonardo Lima)

Pull request description:

  fixes bitcoindevkit#1775

  <!-- You can erase any parts of this template not applicable to your Pull Request. -->

  ### Description

  I used `zizmor` on all current CI workflows, it's a tool that helps detecting possible vulnerabilities in our CI jobs, see https://woodruffw.github.io/zizmor/.

  It can run against most of it's audit rules, however the ones that require the GitHub API Token would require some with access to it in order to test against it. So this PR does not cover for impostor-commit, ref-confusion known-vulnerable-actions audit rules.

  <!-- Describe the purpose of this PR, what's being adding and/or fixed -->

  ### Notes to the reviewers

  <!-- In this section you can include notes directed to the reviewers, like explaining why some parts
  of the PR were done in a specific way -->

  ### Changelog notice

  - Do not persist credentials on GitHub Actions.

  <!-- Notice the release manager should include in the release tag message changelog -->
  <!-- See https://keepachangelog.com/en/1.0.0/ for examples -->

  ### Checklists

  #### All Submissions:

  * [x] I've signed all my commits
  * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md)
  * [x] I ran `cargo fmt` and `cargo clippy` before committing

ACKs for top commit:
  notmandatory:
    ACK 94daa75

Tree-SHA512: 7809b019e31d3495d3b3b6c2bb2c71043451558cf64585aa37b2ab73331d2a5cf33cce11adb7dafc9e87894121dc930146b88220c7c50f840e5b47acec8aca41
@notmandatory notmandatory moved this from In Progress to Needs Review in BDK Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oleonardolima oleonardolima

Labels
ci
Projects
BDK
Status: Needs Review
Milestone
1.1.0
Development

Successfully merging a pull request may close this issue.

ci: apply zizmor security audit oleonardolima/bdk
2 participants
@notmandatory @oleonardolima