-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce authorize step for external PRs #2493
Conversation
@getsentry/security @asottile-sentry Hey folks, would appreciate your thoughts on this worfklow change 🙏🏻 |
jobs: | ||
authorize: | ||
name: Determine environment | ||
environment: | ||
${{ github.event_name == 'pull_request_target' && | ||
github.event.pull_request.head.repo.full_name != github.repository && | ||
'external' || 'internal' }} | ||
runs-on: ubuntu-latest | ||
steps: | ||
- run: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not clear what this does -- I expected a label being required here and I don't see it
as it is written right now it is unsafe as it checks out the pull request and then executes arbitrary code from it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The idea is to use environments instead of labels to control which PRs are allowed to be checked out and executed. The prerequisite is that the repo must be configured to have an external
environment such that any environment: external
workflows require a review from a Sentry employee before they're allowed to run. The authorize
job above sets the environment to external
if the PR was made from a fork.
Technically this should be better than using a label, since it revokes any existing workflow approvals automatically on new code changes without us needing to introduce another step to check for code changes and remove the label, and there is no risk of a race condition between granting the approval/label and new code changes being pushed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More context: iterative/cml#574 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm nice if it works -- we should try this out in a separate repo first with less sensitive credentials
if this is the github feature I think it is we still might not want to do it this way though -- iirc it sends an email to all repository collaborators (read: the entire company) without a way to opt out
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried this out on https://github.com/sentrivana/playground: here's the ci.yaml, the environment definition:
And here's a fork PR against the repo: sentrivana/playground#2
if this is the github feature I think it is we still might not want to do it this way though -- iirc it sends an email to all repository collaborators (read: the entire company) without a way to opt out
Ugh. Will test this some more to see if that's the case. If it is, will change this to use a label instead.
Thanks for the feedback!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We typically use the label approach to achieve this functionality, so this is new territory for us. That said, the approach seems sound. 🙂
I do have some a related questions:
- Is the same secret used for both
internal
andexternal
environments?- If so, could we separate these accounts and use one for each?
- Can we verify that the associated account has the minimum amount of privileges as necessary?
Thanks for reviewing!
@antonpirker You're familiar with our AWS Lambda test setup, thoughts on this? |
My plan now:
|
I stripped down the permissions now to the minimum. Only the permissions really needed are set and only usable on resources that are prefixed with "test_" or have the name "python-serverless-sdk-test". (ok, listFunctions can list all functions, but when I tried to constrain this it did not work at all.)
The tests run by internal and external PRs whould need exactly the same permissions. @mdtro should we still make two accounts? |
For the record, I saved the permissions JSON in the Sentry password manager to the credentials for the user that should have these permissions. |
The PR/branch I used. For faster testing this branch is only running the AWS Lambda tests: We can fork this branch with an external user to test external PRs. |
I have now also added a Budget to AWS Lambda of USD 50 per month. If the cost exceed this we will be notified via email. (We will never reach this limit, right now we are always in the free tier usage. Just to limit the damage in case something goes wrong) |
Closing this in favor of #2538 Going with the label approach since we're already using it elsewhere. |
[DO NOT MERGE] The
external
environment has to be set up correctly first and this needs to be looked at by the security team.Introduce an
authorize
step to all workflows that require access to secrets (currently just the AWS Lambda test suite). The workflow for fork PRs after this PR will be as follows:pull_request_target
instead ofpull_request
, which means they'll run against the base branch of the main repo and will have access to secretsauthorize
step that checks whether the PR was made from a fork and if so, sets the environment toexternal
external
environment, the repo is set up to require explicit approval from a Sentry employee before the workflow can be runBackground
Our AWS Lambda test suite requires GitHub secrets to run. These are by default not accessible to PRs from forks. GitHub offers a solution for private repos, but for public repos, there is no dedicated solution.
The only way for fork PRs to get access to GH secrets of the original repo is to use
pull_request_target
. However, if this is used incorrectly it's an obvious security concern (see this and this). There are some options to prevent this, most of them relying on some sort of explicit approval from a maintainer. The two most prominent ones are:The former has the potential for race conditions. Since the label is not tied to a specific commit, a malicious code change pushed at roughly the same time the label was applied, but before the workflow has run, could lead to the workflow running unsafe code.
The latter (which is the solution in this PR) should not allow this since the test run is directly tied to a specific commit and any new code change invalidates any previous approval.
Closes #2487