Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Knip configuration for keygen #5

Merged
merged 7 commits into from
Apr 6, 2024
Merged

Knip configuration for keygen #5

merged 7 commits into from
Apr 6, 2024

Conversation

gitcoindev
Copy link
Contributor

Resolves #4

@gitcoindev
chore: knip configuration for keygen
0ef91fa 
Set correct entry points in knip.ts for keygen repository to find all dependencies
@gitcoindev
chore: run knip on pull_request_target and workflow_dispatch
f8f6dd8 
Sync with ubiquibot-kernel settings.
@gitcoindev gitcoindev requested a review from rndquu March 19, 2024 12:54
@ubiquibot-continuous-deploys
Copy link

ubiquibot-continuous-deploys bot commented Mar 19, 2024
edited
Loading

@gitcoindev
Copy link
Contributor Author

Hi @rndquu QA on my fork: https://github.com/gitcoindev/keygen.ubq.fi/actions/runs/8343277802/job/22833177887?pr=2

In case 'Resource not accessible' error shows up, https://github.com/ubiquity/keygen.ubq.fi/settings -> Actions -> Workflow permissions -> Read and write permissions needs to be selected. I do not have admin rights there to check.

rndquu
rndquu reviewed Mar 19, 2024
View reviewed changes
.github/workflows/knip.yml Outdated Show resolved Hide resolved
@gitcoindev gitcoindev marked this pull request as draft March 19, 2024 13:48
@gitcoindev
Copy link
Contributor Author

Converting into Draft for now.

@rndquu rndquu mentioned this pull request Mar 19, 2024
Closed
@gitcoindev gitcoindev force-pushed the knip-configuration-for-keygen branch from 193a5d7 to 5845df6 Compare March 19, 2024 19:04
@gitcoindev
Copy link
Contributor Author

Hi @rndquu I tried to implement the same approach as in ubiquity/ts-template#37 , unfortunately it does not work for knip-reporter as workflow_run is not supported https://github.com/Codex-/knip-reporter/blob/main/src/main.ts#L24

I am wondering if there is any other way, currently experimenting perhaps we could expose and securely use a fine grained PAT token just to allow comments on PRs and run checks permission https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#create-a-check-run.

@rndquu
Copy link
Member

rndquu commented Mar 20, 2024

Hi @rndquu I tried to implement the same approach as in ubiquity/ts-template#37 , unfortunately it does not work for knip-reporter as workflow_run is not supported https://github.com/Codex-/knip-reporter/blob/main/src/main.ts#L24

I am wondering if there is any other way, currently experimenting perhaps we could expose and securely use a fine grained PAT token just to allow comments on PRs and run checks permission https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#create-a-check-run.

Yes, we could use UbiquiBot Continuous Deploys github app which already has write permissions to PRs (example how to get installation token)

@gitcoindev
Copy link
Contributor Author

It's a bit like chicken and egg problem, tried to apply https://github.com/ubiquity/devpool-directory/blob/6c183455f3b78f6e3afe45182345463f01a3dbb3/.github/workflows/sync-issues.yml#L34-L39 but knip-reporter requires pull_request workflow, which does not have access to any secrets. Also confirmed at tibdex/github-app-token#25 and read https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md . There is an interesting approach here https://dvc.ai/blog/testing-external-contributions-using-github-actions-secrets with manual approval, but I am also eager to check one approach described at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ . Namely using knip-reporter on pull_request_target but switching actions checkout to pull request sha, which will change context to pull request repo

    - uses: actions/checkout@v2
      with:
        ref: ${{ github.event.pull_request.head.sha }}

and use yarn install with --mode=skip-build as in https://github.com/ubiquity/devpool-directory/blob/6c183455f3b78f6e3afe45182345463f01a3dbb3/.github/workflows/sync-issues.yml#L32C26-L32C44

If it will just run knip, there should not be hopefully any leaking secrets.

I will still experiment on my fork today evening.

@0x4007
Copy link
Member

0x4007 commented Mar 22, 2024
edited
Loading

Hi @rndquu I tried to implement the same approach as in ubiquity/ts-template#37 , unfortunately it does not work for knip-reporter as workflow_run is not supported https://github.com/Codex-/knip-reporter/blob/main/src/main.ts#L24
I am wondering if there is any other way, currently experimenting perhaps we could expose and securely use a fine grained PAT token just to allow comments on PRs and run checks permission https://docs.github.com/en/rest/checks/runs?apiVersion=2022-11-28#create-a-check-run.

Yes, we could use UbiquiBot Continuous Deploys github app which already has write permissions to PRs (example how to get installation token)

Maybe we can rename the bot to ubiquity-pull-requests-ci or something for general tooling around our pulls.

It's a bit like chicken and egg problem, tried to apply https://github.com/ubiquity/devpool-directory/blob/6c183455f3b78f6e3afe45182345463f01a3dbb3/.github/workflows/sync-issues.yml#L34-L39 but knip-reporter requires pull_request workflow, which does not have access to any secrets. Also confirmed at tibdex/github-app-token#25 and read https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md . There is an interesting approach here https://dvc.ai/blog/testing-external-contributions-using-github-actions-secrets with manual approval, but I am also eager to check one approach described at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ . Namely using knip-reporter on pull_request_target but switching actions checkout to pull request sha, which will change context to pull request repo

    - uses: actions/checkout@v2
      with:
        ref: ${{ github.event.pull_request.head.sha }}

and use yarn install with --mode=skip-build as in https://github.com/ubiquity/devpool-directory/blob/6c183455f3b78f6e3afe45182345463f01a3dbb3/.github/workflows/sync-issues.yml#L32C26-L32C44

If it will just run knip, there should not be hopefully any leaking secrets.

I will still experiment on my fork today evening.

Consider using footnotes it will make your comment more readable. Example1

source markdown code

Consider using footnotes it will make your comment more readable. Example[^1^]

[^1^]: example footnote

Footnotes

  1. example footnote

@rndquu
Copy link
Member

rndquu commented Mar 22, 2024
edited
Loading

https://dvc.ai/blog/testing-external-contributions-using-github-actions-secrets

This approach requires manual approval. It means that a malicious code in any at least medium size PR will eventually be overlooked.

Namely using knip-reporter on pull_request_target but switching actions checkout to pull request sha, which will > change context to pull request repo

- uses: actions/checkout@v2
  with:
    ref: ${{ github.event.pull_request.head.sha }}

and use yarn install with --mode=skip-build as in https://github.com/ubiquity/devpool-> directory/blob/6c183455f3b78f6e3afe45182345463f01a3dbb3/.github/workflows/sync-issues.yml#L32C26-L32C44

If it will just run knip, there should not be hopefully any leaking secrets.

This approach also doesn't work because yarn install and yarn knip (called by https://github.com/Codex-/knip-reporter) run in a privileged context and controlled by PR author

We could:

  1. Don't use https://github.com/Codex-/knip-reporter at all. It would be sufficient to run yarn knip on pull_request without beautiful report
  2. Create a separate github app (basically what pavlovcik proposed) with PR/issues write permission and hardcode credentials here
  3. Remove knip at all. It seems that it doesn't save time but only requires organization resources for fixing low priority issues.

@gitcoindev
Copy link
Contributor Author

gitcoindev commented Apr 4, 2024
edited
Loading

All right! I finally have a secure solution on my fork that works correctly. Both on pull requests from branches in the same repository and on pull requests from forks. It avoids insecure pull_request_target workflow.

The algorithm is as follows:

  1. Knip runs on the pull_request by default, printing out its output to console. It uses a read-only github token.
  2. If, and only if yarn knip fails with a non-zero return code, the Knip JSON result and pull request number artifact is created and passed to Knip reporter action.
  3. Knip reporter action is triggered only if Knip run fails, otherwise the pull request check is immediately green. Knip reporter runs in the workflow_run workflow. It uses the base branch environment, does not build anything, reads and parses Knip results JSON file and provides inline comments and summary to the pull request.

This is quite generic and similar to Clouldflare deployment action, but does not use built artifacts. Knip reporter was not prepared to consume JSON input from an another run and I did not want to pass all files from the pull request. Therefore I forked the knip reporter and implemented this feature as well.

I will clean up commits and prepare a pull request to this repository today. After merged and tested here will fix all the other repositories as well.

@gitcoindev
chore: use secure pull_request knip workflow
4e42772 
Knip workflow uses pull_request. If Knip result fails, Knip-reporter
workflow is triggered which updates Knip report directly in the pull
request summary and inline comments.
@gitcoindev gitcoindev marked this pull request as ready for review April 4, 2024 19:14
@gitcoindev
Copy link
Contributor Author

QA with added an unused openai dependency:

  1. On pull request in the same repository: chore: add unused openai dependency gitcoindev/keygen.ubq.fi#10

Failed Knip workflow triggered Knip reporter https://github.com/gitcoindev/keygen.ubq.fi/actions/runs/8558588746/job/23453470014 and updated findings directly in the pull request.

  1. On pull request incoming from a fork into my korrrba org: chore: add unused openai dependency korrrba/keygen.ubq.fi#16

Failed Knip workflow triggered Knip reporter
https://github.com/korrrba/keygen.ubq.fi/actions/runs/8558589690/job/23453472765

@gitcoindev
Copy link
Contributor Author

I marked as ready to review and added @gentlementlegen to reviewers.

@gitcoindev gitcoindev mentioned this pull request Apr 5, 2024
Merged
molecula451
molecula451 approved these changes Apr 5, 2024
View reviewed changes
Copy link
Member

@molecula451 molecula451 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work

@molecula451
Copy link
Member

QA with added an unused openai dependency:

  1. On pull request in the same repository: chore: add unused openai dependency gitcoindev/keygen.ubq.fi#10

Failed Knip workflow triggered Knip reporter https://github.com/gitcoindev/keygen.ubq.fi/actions/runs/8558588746/job/23453470014 and updated findings directly in the pull request.

  1. On pull request incoming from a fork into my korrrba org: chore: add unused openai dependency korrrba/keygen.ubq.fi#16

Failed Knip workflow triggered Knip reporter https://github.com/korrrba/keygen.ubq.fi/actions/runs/8558589690/job/23453472765

is there any QA on positive knip, not failing and running without errors?

@gitcoindev
Copy link
Contributor Author

QA with added an unused openai dependency:

  1. On pull request in the same repository: chore: add unused openai dependency gitcoindev/keygen.ubq.fi#10

Failed Knip workflow triggered Knip reporter https://github.com/gitcoindev/keygen.ubq.fi/actions/runs/8558588746/job/23453470014 and updated findings directly in the pull request.

  1. On pull request incoming from a fork into my korrrba org: chore: add unused openai dependency korrrba/keygen.ubq.fi#16

Failed Knip workflow triggered Knip reporter https://github.com/korrrba/keygen.ubq.fi/actions/runs/8558589690/job/23453472765

is there any QA on positive knip, not failing and running without errors?

Yes, for example: https://github.com/korrrba/keygen.ubq.fi/pull/15/checks

@molecula451 molecula451 merged commit 9db3d03 into ubiquity:development Apr 6, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gentlementlegen gentlementlegen gentlementlegen approved these changes

@molecula451 molecula451 molecula451 approved these changes

@rndquu rndquu Awaiting requested review from rndquu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create correct Knip configuration for keygen repository
5 participants
@gitcoindev @rndquu @0x4007 @molecula451 @gentlementlegen