feat: extend GHA integration to support pull_request_target events#341
Merged
Conversation
This change makes it possible to use the GitHub Action (GHA) integration for PRs that originate from forks, by enabling workflows to run on the `pull_request_target` event. This change is simple enough, but comes with some heavy security considerations. In order for the GHA to run, a workflow using it will need to checkout the PRs code. This requires very careful attention so as not to allow so-called "pwn requests": * securitylab.github.com/research/github-actions-preventing-pwn-requests * blog.gitguardian.com/github-actions-security-cheat-sheet To that end, the documentation updates that go with this change will be explicit in their warnings about how to properly use the Phylum GHA in the most secure way possible. This effectively means the workflow should be limited to executing the bare minimum required for Phylum analysis. Further, the Phylum analysis that does run will need to do so in a way that does not allow for arbitrary code execution. Therefore, this PR is intended to be held back until the Phylum CLI adds some additional protections around lockfile generation. Closes #331
maxrake
commented
Oct 24, 2023
This change makes it possible to use the GitHub Action (GHA) integration for PRs that originate from forks, by enabling workflows to run on the `pull_request_target` event. This change comes with some heavy security considerations. In order for the GHA to run, a workflow using it will need to checkout the PRs code. This requires very careful attention so as not to allow so-called "pwn requests": * https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ * https://blog.gitguardian.com/github-actions-security-cheat-sheet/ To that end, the documentation updates that go with this change will be explicit in their warnings about how to properly use the Phylum GHA in the most secure way possible. This effectively means the workflow should be limited to executing the bare minimum required for Phylum analysis. Further, the Phylum analysis that does run will need to do so in a way that does not allow for arbitrary code execution. Therefore, this change also makes use of the Phylum CLI feature to disable lockfile generation for untrusted contexts like the `pull_request_target` event trigger in the GitHub Actions platform that this PR is looking to support. Unfortunately, this approach does not allow for repositories with only manifests (e.g., libraries). That is, manifests without a corresponding lockfile. Those will fail to parse, with a new return code unique to that situation. The only recourse, which is given in a log message and will be spelled out more explicitly in the corresponding documentation updates, is to reccomend adding a lockfile instead of or along with the manifest. Additional changes made include: * Add predicate for if Phylum sandbox will work in current environment * Create a `CLIExitCode` enumeration to track Phylum CLI exit codes * Update `ReturnCode` enumeration for tracking `phylum-ci` return codes * Add descriptions * Make a distinction between _policy_ failures and general failures * Add new code for when no dependency files were provided or detected * Add new code for when a manifest is attempted to be parsed but lockfile generation has been disabled * Ensure lockfiles provided as arguments are only filtered once * Use `phylum project status` instead of `phylum project list` for setting the repository URL * Update unit tests * Format and refactor throughout * Show the final return code, _after_ any modifications Closes #331 BREAKING CHANGE: Phylum CLI installs before v5.9.0-rc2 are no longer supported. A version with support for disabling lockfile generation and skipping sandbox usage is required. BREAKING CHANGE: The `phylum-ci` return code for a policy violation that results from a Phylum analysis has been changed from 1 to 2 in order to make it distinct from the default failure code that is generated for all raised `SystemExit` exceptions with a message instead of a code.
cd-work
requested changes
Dec 1, 2023
cd-work
approved these changes
Dec 4, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat!: extend GHA integration to support
pull_request_targeteventsThis change makes it possible to use the GitHub Action (GHA) integration
for PRs that originate from forks, by enabling workflows to run on the
pull_request_targetevent.This change comes with some heavy security considerations. In order for
the GHA to run, a workflow using it will need to checkout the PRs code.
This requires very careful attention so as not to allow so-called
"pwn requests":
To that end, the documentation updates that go with this change will be
explicit in their warnings about how to properly use the Phylum GHA in
the most secure way possible. This effectively means the workflow should
be limited to executing the bare minimum required for Phylum analysis.
Further, the Phylum analysis that does run will need to do so in a way
that does not allow for arbitrary code execution. Therefore, this change
also makes use of the Phylum CLI feature to disable lockfile generation
for untrusted contexts like the
pull_request_targetevent trigger inthe GitHub Actions platform that this PR is looking to support.
Unfortunately, this approach does not allow for repositories with only
manifests (e.g., libraries). That is, manifests without a corresponding
lockfile. Those will fail to parse, with a new return code unique to
that situation. The only recourse, which is given in a log message and
will be spelled out more explicitly in the corresponding documentation
updates, is to reccomend adding a lockfile instead of or along with the
manifest.
Additional changes made include:
CLIExitCodeenumeration to track Phylum CLI exit codesReturnCodeenumeration for trackingphylum-cireturn codeslockfile generation has been disabled
phylum project statusinstead ofphylum project listforsetting the repository URL
Closes #331
BREAKING CHANGE: Phylum CLI installs before v5.9.0-rc2 are no longer
supported. A version with support for disabling lockfile generation and
skipping sandbox usage is required.
BREAKING CHANGE: The
phylum-cireturn code for a policy violation thatresults from a Phylum analysis has been changed from 1 to 2 in order to
make it distinct from the default failure code that is generated for all
raised
SystemExitexceptions with a message instead of a code.Checklist
closes #<issueNum>in description above)?pull_request_targetevents phylum-analyze-pr-action#32Testing
Changes from this PR have been built in Docker images and hosted on Docker Hub for my account, as the
gh_pr_targettag.Screenshots from the manual testing may be added here soon.