Add security rules and lock external actions to a hash

Expensify · Dec 17, 2020 · b7d40e7 · b7d40e7
1 parent 5c4c521
commit b7d40e7
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 9 deletions.
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1 @@
+Please report any and all security issues to [email protected]
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,15 @@
+# [Expensify.cash](https://expensify.cash) GitHub Workflows
+
+## Security Rules 🔐
+1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
+1. Do **not ever** write a `pull_request_targer` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
+1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.   
+1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash to prevent a modification of underlying source code at that version.
+1. When creating secrets, use tightly scoped secrets that only allow access to that specific action's requirement
+1. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time.
+1. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo
+1. Only trusted users will be allowed write access to the repository, however, it's good to add logic checks in actions to prevent human error.
+
+## Further Reading 📖
+1. https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+1. https://stackoverflow.com/a/62143130/1858217
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -14,18 +14,21 @@ jobs:
         steps:
             - name: Export Files Changed
               id: changed
-              uses: futuratrepadeira/[email protected]
+              # Version: 3.3.0
+              uses: futuratrepadeira/changed-files@1d252c611c64289d35243fc37ece7323ea5e93e1
               with:
                 repo-token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Check for an auto approve
-              uses: hmarr/[email protected]
+              # Version: 2.0.0
+              uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
               if: github.event.label.name == 'automerge' && github.actor == 'botify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == ''
 
             - name: Check for an auto merge
-              uses: pascalgn/[email protected]
+              # Version: 0.12.0
+              uses: pascalgn/automerge-action@c9bd1823770819dc8fb8a5db2d11a3a95fbe9b07
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -1,4 +1,4 @@
-name: "CLA Assistant"
+name: CLA Assistant
 
 on:
     issue_comment:
@@ -10,9 +10,10 @@ jobs:
     CLA:
         runs-on: ubuntu-latest
         steps:
-            - name: "CLA Assistant"
+            - name: CLA Assistant
               if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-              uses: cla-assistant/[email protected]
+              # Version: 2.0.2-alpha
+              uses: cla-assistant/github-action@5a4ef1e1a1f75bceafd9b12704f8a6da576bcf14
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                   PERSONAL_ACCESS_TOKEN : ${{ secrets.BOTIFY_TOKEN }}

diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml
@@ -9,7 +9,8 @@ jobs:
         runs-on: ubuntu-16.04
 
         steps:
-            - uses: actions/checkout@v2
+            # Version: 2.3.4
+            - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
               with:
                   fetch-depth: 0
                   token: ${{ secrets.BOTIFY_TOKEN }}
@@ -45,7 +46,8 @@ jobs:
               run: git push --tags
 
             - name: Create Pull Request
-              uses: repo-sync/pull-request@v2
+              # Version: 2.4.3
+              uses: repo-sync/pull-request@33777245b1aace1a58c87a29c90321aa7a74bd7d
               with:
                     source_branch: version-bump-${{ github.sha }}
                     destination_branch: "master"

diff --git a/.github/workflows/web.yml b/.github/workflows/web.yml
@@ -31,7 +31,8 @@ jobs:
                pip3 install cloudflare
 
         - name: Configure AWS Credentials
-          uses: aws-actions/configure-aws-credentials@v1
+          # Version: 1.5.5
+          uses: aws-actions/configure-aws-credentials@e97d7fbc8e0e5af69631c13daa0f4b5a8d88165b
           with:
             aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
             aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Please report any and all security issues to [email protected]