Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

codecov security breach #2727

Closed
jlaehne opened this issue Apr 30, 2021 · 5 comments
Closed

codecov security breach #2727

jlaehne opened this issue Apr 30, 2021 · 5 comments

Comments

@jlaehne
Copy link
Contributor

jlaehne commented Apr 30, 2021

The tests.yml workflow was probably affected by: https://about.codecov.io/security-update/

See the related discussion on jupyter: jupyterhub/team-compass#398

At least the workflow does not contain any reference to secrets. ... that could have been leaked that way. However, through @actions/checkout there might have been a breach of $GITHUB_TOKEN, which though is only a temporary token so that should not be a problem either.

Nevertheless, might not hurt to audit if there is any security hardening we can do,

@ericpre
Copy link
Member

ericpre commented Apr 30, 2021

Thanks for sharing the links, they contains useful information! I have set the the default permissions for the hyperspy organization to "read contents" as described in https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token

Here is a list of the third-party actions we are using in the HyperSpy organisation:

  • robotology/gh-action-nightly-merge@v1.2.0: use GITHUB_TOKEN
  • ammaraskar/sphinx-action@master: this job doesn't use a secret
  • RalfG/python-wheels-manylinux-build@v0.3.3: a secret is used at the end of the job, need to check whether this is an issue or not
  • GabrielBB/xvfb-action@v1: a secret is used at the end of the job
  • peaceiris/actions-gh-pages@v3: use GITHUB_TOKEN
  • conda-incubator/setup-miniconda@master: a secret is used
  • jacobtomlinson/gha-find-replace@master: a secret is used

I agree that we could pin the actions and use dependabot to keep up to date and review the updates.

@jlaehne
Copy link
Contributor Author

jlaehne commented May 6, 2021

Great, when I log into Codcov, HyperSpy is now explicitly mentioned as affected repository!

@ericpre
Copy link
Member

ericpre commented Sep 19, 2022

The list of github actions used in this repository are summarised in https://github.com/hyperspy/hyperspy/network/dependencies.

As per https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates, I have setup dependabot.yml to get PR to update the github actions automatically.

@ericpre
Copy link
Member

ericpre commented Sep 25, 2022

All done!
There is a section in the hyperspy dev guide on this topic: https://hyperspy.readthedocs.io/en/latest/dev_guide/maintenance.html

@ericpre ericpre closed this as completed Sep 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants