-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix pronto on GitHub actions #401
Conversation
When the specs action is triggered by `pull_request` Pronto can not post reports to GitHub because there isn't a token present (the action only has read access to the repository). Since the `pull_request_target` action has write access to the repository we must make sure that no code that is coming from the PR is executed. The workflow definition used for those actions are always taken from the target branch which means the pull request can not modify what is run. The `pronto` workflow is a mouth full for a couple of reasons: * Since we can not use `bundle exec` (it would execute code from the pull request) we must install all dependencies and pronto itself as system gems. * `bundle install --system` does not install pronto itself, we must build and install it from the `gemspec` * Installing `rugged` takes a while, to be able to cache the system gems we have to use a custom `GEM_HOME` * `pronto-rubocop` needs a newer version because `0.10.0` is not compatible with pronto `0.11` (this wasn't an issue before because bundle install does not verify the version of the gem it is run in) * After all gems are installed we are checking out the pull requests code and finally run pronto * pronto has to run on Ruby 2.5 because version `4.14.0` is marked as compatible with ruby 2.4 but [breaks with a runtime error][1] * Explicitly setting the pronto runners makes sure the workflow does not silently succeed if - for some reason - pronto-rubocop was not installed properly or could not be loaded by pronto [1]: NARKOZ/gitlab#550
Pronto will not be run for this PR because After a lot of iterations this seems to be working well on my fork: dsander#7 It would be nice if someone could open a PR to my fork which should trigger pronto comments to make sure the workflow also works for non-members of a repository. |
This configuration looks quite complicated. Why wouldn't the first example in the wiki work? I'd prefer to dog-food what we're recommending to users 😁 |
Because of this:
That configuration works for pull request from As a alternative you could create a dummy |
I'm not sure how something like this action would really work -- it uses the same formatters that you have defined. Or does it also have the same limitation? |
Converting CI to GitHub Action on this repo is the first instance for me where linting is required on a public repository that accepts pull request and I have to say a lot (if not all) documentation and examples do not cover that I tried both examples you linked, the one from the wiki and the Not modifying anything the The example from the wiki first failed in a similar way CI currently fails on master: https://github.com/prontolabs/pronto/runs/1993385721?check_suite_focus=true I still don't know how it used to work on Travis (I am assuming you have a configured |
I think this is an area where we definitely need to improve the documentation. Apparently, this is a known limitation for forks -- but I don't think using
I don't think the pronto formatters are designed to run this way (separate step to store results as artifact and then upload via API), I think we need a new formatter to cope with this. I don't think it's safe to checkout the PR in the context of This looks like a good feature to build, but I don't think I'll merge this PR because of the security impact 😞 I'd rather build something like this and dogfood it ourselves, so that other projects can use pronto by looking at our configuration as an example of doing it securely via GitHub Actions. |
Sorry I meant that more in a general way, it feels to me that our use case wasn't thought of when Actions were designed. One easy solution would have been to allow
Oh, I was assuming that they were we are mostly using the robocop and simplecov reporters and, to my knowledge, they don't eval the to code they are checking. But if that is something that can't be guaranteed the action definitely isn't something that should be recommended for all |
Exactly! pronto works well right now, except within GitHub Actions for a pull request workflow -- which would be most open-source Ruby projects, due to mass-migration away from TravisCI. We definitely need to develop something to cater to this, as pronto is such a project too 🙂 While a solution may take some time, I'd rather incorporate this fact into the README.
That's possibly true for this repository, but I'm not sure if it's true for most projects. Also, I couldn't find a FAQ if it was safe to run rubocop on untrusted Ruby code -- I'd rather be pessimistic by default. Although you've used a different cache key for the action cache, someone malicious can also use cache poisoning attacks -- safest is not to use a cache, but then like you said I have a possible idea, but not sure I'll get a chance to work on it right away:
This would fit the GitHub Actions model very well, with the replay file being the artifact that's used to share data across runs. Not sure about how to achieve the serialization, as the current in-memory structure isn't really friendly to that. |
Me neither, I searched through their code for
As far as I know they would only be able to write something malicious into the cache if they get to the point to execute their own code.
The plan sounds solid to me, just don't use an unsafe deserializer like I don't think that I will have enough time to look into it myself the next week. Feel free to ping me if you would like some help with the updated action setup. I think I now know how most of their logic and setup works after trying and failing with so many attempts 😄 |
In prontolabs#401 we discussed that there currently is no 100% safe way to run pronto on `pull_request_target` actions we can not send any reports to the GitHub pull request. This simple action will show up as a failed check. The offences then need to be viewed in the action output.
Closing in favor of #403 |
In prontolabs#401 we discussed that there currently is no 100% safe way to run pronto on `pull_request_target` actions we can not send any reports to the GitHub pull request. This simple action will show up as a failed check. The offences then need to be viewed in the action output.
As a pathological case, imagine the following:
There's too many things which can go wrong 🤷♂️ |
That could work, but only if the malicious user already found a way to execute their own code. If we are assuming that all used pronto plugins are safe the cache could not be touched by the user because it is build based on the dependencies defined on |
In #401 we discussed that there currently is no 100% safe way to run pronto on `pull_request_target` actions we can not send any reports to the GitHub pull request. This simple action will show up as a failed check. The offences then need to be viewed in the action output.
In prontolabs/pronto#401 we discussed that there currently is no 100% safe way to run pronto on `pull_request_target` actions we can not send any reports to the GitHub pull request. This simple action will show up as a failed check. The offences then need to be viewed in the action output.
When the specs action is triggered by
pull_request
Pronto can notpost reports to GitHub because there isn't a token present (the action
only has read access to the repository).
Since the
pull_request_target
action has write access to the repositorywe must make sure that no code that is coming from the PR is executed.
The workflow definition used for those actions are always taken from the
target branch which means the pull request can not modify what is run.
The
pronto
workflow is a mouth full for a couple of reasons:bundle exec
(it would execute code from thepull request) we must install all dependencies and pronto itself as
system gems.
bundle install --system
does not install pronto itself, we mustbuild and install it from the
gemspec
rugged
takes a while, to be able to cache the system gemswe have to use a custom
GEM_HOME
pronto-rubocop
needs a newer version because0.10.0
is notcompatible with pronto
0.11
(this wasn't an issue before becausebundle install does not verify the version of the gem it is run in)
code and finally run pronto
4.14.0
is marked ascompatible with ruby 2.4 but breaks with a runtime error
silently succeed if - for some reason - pronto-rubocop was not
installed properly or could not be loaded by pronto