Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Require two-factor authentication for all members of the m2e-code-quality GitHub org #282

Closed
vorburger opened this issue Jun 17, 2022 · 9 comments
Closed

Require two-factor authentication for all members of the m2e-code-quality GitHub org #282

vorburger opened this issue Jun 17, 2022 · 9 comments
Assignees
@vorburger

Comments

@vorburger
Copy link
Member

Following this security incident, which as far as I know didn't directly affect https://github.com/m2e-code-quality, I would like to apply https://docs.github.com/en/organizations/keeping-your-organization-secure and require two-factor authentication for m2e-code-quality.

I've just enabled this. This means everyone on https://github.com/orgs/m2e-code-quality/people (some are Public and some chose Private membership which means they are not visible) needs to secure their account with two-factor authentication to be able to continue being a member of m2e-code-quality.

Please comment on this issue if this is causing problems for anyone.
@vorburger
Copy link
Member Author

I've just enabled this.

Oups, @Bananeweizen and @Serranya this apparently means you get auto-removed, because you don't have 2FA enabled, yet. -- Would you consider to secure your GitHub account with two-factor authentication? I'd be (very) happy to invite you back to this org when you have.

@m2e-code-quality-bot also get auto-removed with this. I'm trying to remember what that was used for, but cannot. I see it was used on April 12 for a commit to the m2e-code-quality-p2-site repo... @erwint @adangel how does that work again? Could we do without using @m2e-code-quality-bot in the future?

@Bananeweizen
Copy link
Contributor

@vorburger I'm okay with not having access anymore. I looked into using 2FA with github long ago. But it doesn't work well. I switch between personal computers and company machines a lot, and cannot use private security tokens with the company machines, because managing security keys is configured centrally. Therefore that would require to have my phone with me to all the time for the company laptops. And I'm one of those people that have the phone somewhere in the flat, somewhere in a bag, or wherever, but definitely not in reach. I've therefore disabled 2FA after some time of testing long ago. I'll probably only enable it when it becomes mandatory, unless I find a more comfortable solution than searching my phone all the time.

@vorburger
Copy link
Member Author

@Bananeweizen I'm in a similar situation personally, just FYI. I find it a bit easier since GitHub added support for Approving Logins on the Mobile App (but I have my phone with me typically, yes). But I can also either plug my personal YubiKey security key into my (otherwise locked down) company machine, no problem. I personally have even added the YubiKey security keys that are in my company machines to my (personal) GitHub, it's not a problem for me, nor for the company (there is an explicit policy allowing it), and I don't see any "security risk". (I'm not sure what you mean by "managing security keys is configured centrally".) I'm just mentioning this FYI, in case this is of any interest/use to you (or your employer's IT department). PS: I currently happen to work for the company that originally co-developped U2F, and then was one of its early large adopters.

@adangel
Copy link
Member

adangel commented Jun 18, 2022

@vorburger Removing write access from @m2e-code-quality-bot is ok - I've refactored the build scripts to use the automatically generated github token for pushing to m2e-code-quality and added a SSH-Key as deploy-key to m2e-code-quality-p2-site. The private key is passed through a secret in m2e-code-quality.
The bot account is only used to attribute any commits during release (like tagging, version change) and the site push - but the account itself doesn't need any permissions.
We could also delete the bot account (I don't have the credentials for this account...), but then we should probably update the scripts to use e.g. github bot or some other pseudo identity as commit authors (see https://github.com/m2e-code-quality/m2e-code-quality/blob/develop/tools/prepare_release.sh#L18-L20 and some other places).

@Bananeweizen
Copy link
Contributor

@vorburger I've re-evaluated some things and have 2FA enabled. The company laptop is okay with a YubiKey Nano now, since that can be left in all the time, without risk of damaging the key. It's all much more smooth than with the old fragile U2F (?) key I had bought some years ago.

@vorburger
Copy link
Member Author

I've re-evaluated some things and have 2FA enabled.

@Bananeweizen nice!!! I've just sent an invitation to re-join the org... 😃

The company laptop is okay with a YubiKey Nano now, since that can be left in all the time, without risk of damaging the key. It's all much more smooth than with the old fragile U2F (?) key I had bought some years ago.

Yeah the Nanos that you can leave in are the way to go. I've got a handful of them plugged into several of my machines!

BTW are you aware of the ssh-keygen -t ed25519-sk support? That's very neat.

@vorburger
Copy link
Member Author

The bot account is only used to attribute any commits during release (like tagging, version change) and the site push - but the account itself doesn't need any permissions.

Yeah but @m2e-code-quality-bot (for which I have the credentials) also get auto-removed with this, it can't even site push anymore.

We could also delete the bot account, but then we should probably update the scripts to ...

That's probably the best, IMHO.

adangel added a commit to adangel/m2e-code-quality that referenced this issue Oct 7, 2022
@adangel
Use github-actions[bot] as commit identity
0d5b068 
Refs m2e-code-quality#282
@adangel adangel mentioned this issue Oct 7, 2022
Merged
@adangel
Copy link
Member

adangel commented Oct 7, 2022

@vorburger I think you can delete the bot account (if not done already). It's not needed anymore by the build scripts (and since you enabled 2FA, it was already removed). I've created #302 to make the future commits nicer - they should now appear to come from github-actions and not anymore from @m2e-code-quality-bot .

In terms of permissions: During a build, we might commit into https://github.com/m2e-code-quality/m2e-code-quality . There we use the default GITHUB_TOKEN provided by actions. This is done for releasing a new version.

For committing into https://github.com/m2e-code-quality/m2e-code-quality-p2-site I've configured a SSH-key as a site-deploy-key. The private part of the key is the secret SITE_DEPLOY_PRIVATE_KEY defined in m2e-code-quality. This private key is written on the runner to ~/.ssh/... by publish-update-site.sh. The public part is configured at m2e-code-quality-p2-site as a deploy key.
This is documented in https://github.com/m2e-code-quality/m2e-code-quality/blob/develop/doc/github-actions.md

adangel added a commit that referenced this issue Oct 14, 2022
@adangel
Use github-actions[bot] as commit identity
063299b 
Refs #282
@vorburger vorburger self-assigned this Oct 8, 2023
@vorburger vorburger mentioned this issue Oct 8, 2023
Closed
@vorburger
Copy link
Member Author

I'm closing this issue now, because Require two-factor authentication for everyone in the M2E integration for Checkstyle, SpotBugs & PMD organization is enabled (I just re-checked).

#336 open ré. old Bot 🤖 account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vorburger vorburger

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vorburger @Bananeweizen @adangel