Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

codecov security breach #2727

Closed
jlaehne opened this issue Apr 30, 2021 · 5 comments
Closed

codecov security breach #2727

jlaehne opened this issue Apr 30, 2021 · 5 comments

Comments

@jlaehne
Copy link
Contributor

jlaehne commented Apr 30, 2021

The tests.yml workflow was probably affected by: https://about.codecov.io/security-update/

See the related discussion on jupyter: jupyterhub/team-compass#398

At least the workflow does not contain any reference to secrets. ... that could have been leaked that way. However, through @actions/checkout there might have been a breach of $GITHUB_TOKEN, which though is only a temporary token so that should not be a problem either.

Nevertheless, might not hurt to audit if there is any security hardening we can do,
@ericpre
Copy link
Member

ericpre commented Apr 30, 2021
edited

Thanks for sharing the links, they contains useful information! I have set the the default permissions for the hyperspy organization to "read contents" as described in https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token

Here is a list of the third-party actions we are using in the HyperSpy organisation:

  • robotology/gh-action-nightly-merge@v1.2.0: use GITHUB_TOKEN
  • ammaraskar/sphinx-action@master: this job doesn't use a secret
  • RalfG/python-wheels-manylinux-build@v0.3.3: a secret is used at the end of the job, need to check whether this is an issue or not
  • GabrielBB/xvfb-action@v1: a secret is used at the end of the job
  • peaceiris/actions-gh-pages@v3: use GITHUB_TOKEN
  • conda-incubator/setup-miniconda@master: a secret is used
  • jacobtomlinson/gha-find-replace@master: a secret is used

I agree that we could pin the actions and use dependabot to keep up to date and review the updates.

This was referenced Apr 30, 2021
Closed
Closed
@ericpre ericpre mentioned this issue May 4, 2021
Merged
3 tasks
@jlaehne
Copy link
Contributor Author

jlaehne commented May 6, 2021

Great, when I log into Codcov, HyperSpy is now explicitly mentioned as affected repository!

@ericpre ericpre mentioned this issue Jun 10, 2021
Merged
4 tasks
@ericpre ericpre mentioned this issue Sep 19, 2022
Merged
4 tasks
@ericpre
Copy link
Member

ericpre commented Sep 19, 2022

The list of github actions used in this repository are summarised in https://github.com/hyperspy/hyperspy/network/dependencies.

As per https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates, I have setup dependabot.yml to get PR to update the github actions automatically.

@ericpre
Copy link
Member

ericpre commented Sep 19, 2022
edited

Progress on review and corresponding update of the repository in the hyperspy organisation:

@ericpre ericpre mentioned this issue Sep 19, 2022
Merged
6 tasks
@ericpre
Copy link
Member

ericpre commented Sep 25, 2022

All done!
There is a section in the hyperspy dev guide on this topic: https://hyperspy.readthedocs.io/en/latest/dev_guide/maintenance.html

@ericpre ericpre closed this as completed Sep 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jlaehne @ericpre