New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FOSSA scan enabled #3396
FOSSA scan enabled #3396
Conversation
- name: Run FOSSA scan and upload build data | ||
uses: fossa-contrib/fossa-action@v1 | ||
with: | ||
fossa-api-key: cac3dc8d4f2ba86142f6c0f2199a160f |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be added to GH repo secrets rather than being exposed here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@milosgajdos nope, unfortunately, it won't work as a secret if triggered from the repo fork (https://docs.github.com/en/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow).
At the same time, this is a read-only API key, which can be exposed safely - https://docs.fossa.com/docs/api-reference#push-only-api-token, so let's keep it as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit strange. I can see how someone can abuse this easily by pushing all kinds of nonsense using this API key. Does this also mean that forks will be able to override the upstream build data?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@milosgajdos I agree that it could be done differently, but this is how does it work. So it's a common approach across the whole board of CNCF projects (they are all referenced in this issue - cncf/foundation#109).
You can find more details in the thread under this PR kedacore/keda#860, where we've noticed these challenges for the first time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the PR kedacore/keda#860, it's using the secret as the API key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my side, this feels dodgy and I'd like someone to talk to FOSSA developers so they sort out this security circus with GitHub folks.
I have already discussed this with FOSSA a while ago, and yes, this is their suggested solution.
However, CNCF now own this repo so if they're happy with the current state of things we can merge this in, indeed.
To clarify - I am with CNCF. I agree that this is not the most perfect solution that could be, but this is a common practice across other projects; suggested by the FOSSA team themselves.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, but I can't help but still express my dislike of it. Going forward it's probably something worth bringing up with @chrispat so GH come up with some way of addressing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you are using a secret in a workflow that is run on pull requests from forks it would easily be extracted so having it as a secret value vs plain text isn't protecting anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I understand this, but I'm struggling to accept it as an "Ok situation because XYZ". I haven't given this much thought, tbh, but surely it's in GH's [and OSS developers] interest to come up with some solution to this workflow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great if something were possible but I just don't know how to keep any sort of value secret in an environment that lest you run arbitrary code from unknown sources. In the case of CI and open source contribution that is a fundamental need.
It is possible that FOSSA could enable a system like you have with CodeCov where they use some other information in the environment along with a call back to the Actions API rather than an API key.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ignore the CI. The failed run is related to the empty space char present in one of the earlier commits and it's making CI sad. I think if you rebased the CI run would pass, but we can do that during merge.
@milosgajdos any other blockers for now? |
I gave it my tick a while back. Unfortunately, I can't merge it unless there are at least 2 approvals from maintainers -- otherwise I would have already merged it in. CC: @chrispat @wy65701436 |
Ok, one last bit @idvoretskyi . Can you please squash the commits? I believe that will also get rid of the build failure as there is some empty space char in your first commit (See |
Signed-off-by: Ihor Dvoretskyi <ihor@linux.com>
aaf00a5
to
df39a77
Compare
@milosgajdos here we go :) |
Codecov Report
@@ Coverage Diff @@
## main #3396 +/- ##
==========================================
- Coverage 56.31% 56.31% -0.01%
==========================================
Files 102 102
Lines 7243 7281 +38
==========================================
+ Hits 4079 4100 +21
- Misses 2523 2535 +12
- Partials 641 646 +5
Continue to review full report at Codecov.
|
Ref.: cncf/foundation#109
Signed-off-by: Ihor Dvoretskyi ihor@linux.com