Merge pull request #171 from learnsoftwaredevelopment/resolved-github-actions-bug-due-to-new-github-changes

Resolved GitHub actions bug due to new GitHub changes on 1 March 2021

Author: JonathanLeeWH

.github/workflows/app-test-container-no-docker-cache.yml

@@ -5,16 +5,41 @@ on:
     branches: [master]
   pull_request:
     branches: [master]
+  # Added in response to recent changes by GitHub on 1 March 2021 involving dependabot pull requests running with read only permissions which resulted in by default GitHub secrets are unable to be read.
+  # References:
+  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+  # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+  pull_request_target:
+    branches: [master]
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     timeout-minutes: 18
 
+    # If the Pull Request is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". Otherwise, clone it normally.
+    # References:
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
+    # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (dependabot PM recommended solution)
+
+    if:
+      ${{ (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') }}
+
     steps:
       - name: checkout
+        if: ${{ github.event_name != 'pull_request_target' }}
         uses: actions/checkout@v2.3.4
+
+      - name: checkout Pull Request (dependabot[bot] only)
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+        with:
+          # Without ref with pull_request_target, it does not actually build the PR, instead it builds the latest changeset from the target repository which is not the intended behaviour. (Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [Last example])
+          ref: ${{ github.event.pull_request.head.sha }}
+
       # Pull the latest image to build, and avoid caching pull-only images.
       # (docker pull is faster than caching in most cases.)
       - name: docker-compose pull

.github/workflows/app-test-container.yml

@@ -5,23 +5,50 @@ on:
     branches: [master]
   pull_request:
     branches: [master]
+  # Added in response to recent changes by GitHub on 1 March 2021 involving dependabot pull requests running with read only permissions which resulted in by default GitHub secrets are unable to be read.
+  # References:
+  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+  # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+  # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+  pull_request_target:
+    branches: [master]
 
 jobs:
   build:
     runs-on: ubuntu-latest
 
     timeout-minutes: 18
 
+    # If the Pull Request is coming from a fork (pull_request_target), ensure it's opened by "dependabot[bot]". Otherwise, clone it normally.
+    # References:
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
+    # https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (dependabot PM recommended solution)
+
+    if:
+      ${{ (github.event_name == 'pull_request_target' && github.actor == 'dependabot[bot]') ||
+      (github.event_name != 'pull_request_target' && github.actor != 'dependabot[bot]') }}
+
     steps:
       - name: checkout
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: actions/checkout@v2.3.4
+
+      - name: checkout Pull Request (dependabot[bot] only)
+        if: ${{ github.event_name == 'pull_request_target' }}
         uses: actions/checkout@v2.3.4
+        with:
+          # Without ref with pull_request_target, it does not actually build the PR, instead it builds the latest changeset from the target repository which is not the intended behaviour. (Reference: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ [Last example])
+          ref: ${{ github.event.pull_request.head.sha }}
+
       # Pull the latest image to build, and avoid caching pull-only images.
       # (docker pull is faster than caching in most cases.)
       - name: docker-compose pull
         run: docker-compose pull
+
       - name: docker layer caching
         uses: satackey/action-docker-layer-caching@v0.0.11
         continue-on-error: true
+
       - name: Run test in container
         shell: bash
         env:

.github/workflows/node.js.yml

@@ -2,6 +2,12 @@
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
 # Addition of Cache Action
 
+## TODO: Add mitigations for GitHub Actions dependabot read only changes which resulted in GitHub Secrets cannot be read.
+## References:
+# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target (Announcement of changes to be made to dependabot pull requests)
+# https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ (Recommended security mitigations by GitHub)
+# https://github.com/dependabot/dependabot-core/issues/3253#issuecomment-797125425 (Ongoing GitHub issues by users in response to the changes)
+
 name: Node.js CI
 
 on: