-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
codecov security breach #2727
Comments
Thanks for sharing the links, they contains useful information! I have set the the default permissions for the hyperspy organization to "read contents" as described in https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token Here is a list of the third-party actions we are using in the HyperSpy organisation:
I agree that we could pin the actions and use dependabot to keep up to date and review the updates. |
Great, when I log into Codcov, HyperSpy is now explicitly mentioned as affected repository! |
The list of github actions used in this repository are summarised in https://github.com/hyperspy/hyperspy/network/dependencies. As per https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates, I have setup dependabot.yml to get PR to update the github actions automatically. |
Progress on review and corresponding update of the repository in the hyperspy organisation:
|
All done! |
The
tests.yml
workflow was probably affected by: https://about.codecov.io/security-update/See the related discussion on jupyter: jupyterhub/team-compass#398
At least the workflow does not contain any reference to
secrets. ...
that could have been leaked that way. However, through@actions/checkout
there might have been a breach of$GITHUB_TOKEN
, which though is only a temporary token so that should not be a problem either.Nevertheless, might not hurt to audit if there is any security hardening we can do,
The text was updated successfully, but these errors were encountered: