FOSSA scan enabled

[idvoretskyi]

Ref.: cncf/foundation#109

Signed-off-by: Ihor Dvoretskyi ihor@linux.com

[milosgajdos]

Should this be added to GH repo secrets rather than being exposed here?

[idvoretskyi]

@milosgajdos nope, unfortunately, it won't work as a secret if triggered from the repo fork (https://docs.github.com/en/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow).

At the same time, this is a read-only API key, which can be exposed safely - https://docs.fossa.com/docs/api-reference#push-only-api-token, so let's keep it as is.

[milosgajdos]

This is a bit strange. I can see how someone can abuse this easily by pushing all kinds of nonsense using this API key. Does this also mean that forks will be able to override the upstream build data?

[idvoretskyi]

@milosgajdos I agree that it could be done differently, but this is how does it work. So it's a common approach across the whole board of CNCF projects (they are all referenced in this issue - cncf/foundation#109).

You can find more details in the thread under this PR kedacore/keda#860, where we've noticed these challenges for the first time.

[wy65701436]

From the PR kedacore/keda#860, it's using the secret as the API key.

[idvoretskyi]

From my side, this feels dodgy and I'd like someone to talk to FOSSA developers so they sort out this security circus with GitHub folks.

I have already discussed this with FOSSA a while ago, and yes, this is their suggested solution.

However, CNCF now own this repo so if they're happy with the current state of things we can merge this in, indeed.

To clarify - I am with CNCF. I agree that this is not the most perfect solution that could be, but this is a common practice across other projects; suggested by the FOSSA team themselves.

[milosgajdos]

Sure, but I can't help but still express my dislike of it. Going forward it's probably something worth bringing up with @chrispat so GH come up with some way of addressing this.

[chrispat]

If you are using a secret in a workflow that is run on pull requests from forks it would easily be extracted so having it as a secret value vs plain text isn't protecting anything.

[milosgajdos]

Yes, I understand this, but I'm struggling to accept it as an "Ok situation because XYZ". I haven't given this much thought, tbh, but surely it's in GH's [and OSS developers] interest to come up with some solution to this workflow?

[chrispat]

It would be great if something were possible but I just don't know how to keep any sort of value secret in an environment that lest you run arbitrary code from unknown sources. In the case of CI and open source contribution that is a fundamental need.

It is possible that FOSSA could enable a system like you have with CodeCov where they use some other information in the environment along with a call back to the Actions API rather than an API key.

[milosgajdos]

Ignore the CI. The failed run is related to the empty space char present in one of the earlier commits and it's making CI sad. I think if you rebased the CI run would pass, but we can do that during merge.

[idvoretskyi]

@milosgajdos any other blockers for now?

[milosgajdos]

@milosgajdos any other blockers for now?

I gave it my tick a while back. Unfortunately, I can't merge it unless there are at least 2 approvals from maintainers -- otherwise I would have already merged it in.

CC: @chrispat @wy65701436

[milosgajdos]

Ok, one last bit @idvoretskyi . Can you please squash the commits? I believe that will also get rid of the build failure as there is some empty space char in your first commit (See git show --check c8e7fbecc6cc105aaa242b1515945f6c746fc21c) Then we're good to go.

[idvoretskyi]

@milosgajdos here we go :)

[codecov-commenter]

Codecov Report

Merging #3396 (df39a77) into main (6891d94) will decrease coverage by 0.00%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #3396      +/-   ##
==========================================
- Coverage   56.31%   56.31%   -0.01%     
==========================================
  Files         102      102              
  Lines        7243     7281      +38     
==========================================
+ Hits         4079     4100      +21     
- Misses       2523     2535      +12     
- Partials      641      646       +5     

Impacted Files	Coverage Δ
...ibution/registry/storage/schema2manifesthandler.go	61.66% <0.00%> (-0.84%)	⬇️
...distribution/distribution/registry/handlers/app.go	46.16% <0.00%> (-0.09%)	⬇️
...bution/distribution/configuration/configuration.go	62.03% <0.00%> (ø)
...istribution/registry/storage/ocimanifesthandler.go	66.12% <0.00%> (+0.05%)	⬆️
...ribution/distribution/registry/handlers/helpers.go	39.39% <0.00%> (+0.26%)	⬆️
...ution/distribution/registry/handlers/blobupload.go	44.97% <0.00%> (+1.74%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6891d94...df39a77. Read the comment docs.