Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: potential CI injections #15720

Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

fix: potential CI injections #15720

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
457ee7f
fix: persist-credentials false for actions/checkout
erikburt Dec 16, 2024
ebeeb0c
fix: possible template injection in CI
erikburt Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/actions/golangci-lint/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,13 @@ runs:
# Only do a full checkout on merge_groups
if: github.event_name == 'merge_group'
with:
persist-credentials: false
fetch-depth: 0
- name: Checkout repo
uses: actions/[email protected]
if: github.event_name != 'merge_group'
with:
persist-credentials: false
fetch-depth: 1
- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
2 changes: 2 additions & 0 deletions .github/actions/goreleaser-build-sign-publish/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
Expand Down
35 changes: 23 additions & 12 deletions .github/workflows/automation-ondemand-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,45 +52,56 @@ jobs:
outputs:
test_list: ${{ steps.set-tests.outputs.test_list }}
require_chainlink_image_versions_in_qa_ecr: ${{ steps.determine-chainlink-image-check.outputs.require_chainlink_image_versions_in_qa_ecr }}
env:
GH_INPUTS_CHAINLINK_IMAGE: ${{ inputs.chainlinkImage }}
GH_INPUTS_CHAINLINK_IMAGE_UPDATE: ${{ inputs.chainlinkImageUpdate }}
GH_INPUTS_CHAINLINK_VERSION: ${{ inputs.chainlinkVersion }}
GH_INPUTS_CHAINLINK_VERSION_UPDATE: ${{ inputs.chainlinkVersionUpdate }}
steps:
- name: Determine build to use
id: determine-build
shell: bash
run: |
if [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then
if [[ "$GH_INPUTS_CHAINLINK_IMAGE" == "QA_ECR" ]]; then
echo "image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV
else
echo "image=${{ inputs.chainlinkImage }}" >> $GITHUB_ENV
echo "image=$GH_INPUTS_CHAINLINK_IMAGE" >> $GITHUB_ENV
fi
if [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then
if [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then
echo "upgrade_image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV
else
echo "upgrade_image=${{ inputs.chainlinkImageUpdate }}" >> $GITHUB_ENV
echo "upgrade_image=$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" >> $GITHUB_ENV
fi
if [[ -z "${{ inputs.chainlinkVersion }}" ]] && [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then
if [[ -z "$GH_INPUTS_CHAINLINK_VERSION" ]] && [[ "$CHAINLINK_IMAGE" == "QA_ECR" ]]; then
echo "version=${{ github.sha }}" >> $GITHUB_ENV
else
echo "version=${{ inputs.chainlinkVersion }}" >> $GITHUB_ENV
echo "version=$GH_INPUTS_CHAINLINK_VERSION" >> $GITHUB_ENV
fi
if [[ -z "${{ inputs.chainlinkVersionUpdate }}" ]] && [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then
if [[ -z "$GH_INPUTS_CHAINLINK_VERSION_UPDATE" ]] && [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then
echo "upgrade_version=${{ github.sha }}" >> $GITHUB_ENV
else
echo "upgrade_version=${{ inputs.chainlinkVersionUpdate }}" >> $GITHUB_ENV
echo "upgrade_version=$GH_INPUTS_CHAINLINK_VERSION_UPDATE" >> $GITHUB_ENV
fi
- name: Check if chainlink image check required
id: determine-chainlink-image-check
shell: bash
env:
CHAINLKINK_IMAGE: ${{ github.event.inputs.chainlinkImage }}
CHAINLINK_IMAGE_UPDATE: ${{ github.event.inputs.chainlinkImageUpdate }}
run: |
chainlink_image_versions=""
if [ "${{ github.event.inputs.chainlinkImage }}" = "QA_ECR" ]; then
if [ "$CHAINLKINK_IMAGE" = "QA_ECR" ]; then
chainlink_image_versions+="${{ env.version }},"
fi
if [ "${{ github.event.inputs.chainlinkImageUpdate }}" = "QA_ECR" ]; then
if [ "$CHAINLINK_IMAGE_UPDATE" = "QA_ECR" ]; then
chainlink_image_versions+="${{ env.upgrade_version }}"
fi
echo "require_chainlink_image_versions_in_qa_ecr=$chainlink_image_versions" >> $GITHUB_OUTPUT
- name: Set tests to run
id: set-tests
env:
GH_EVENT_INPUTS_ENABLE_REORG: ${{ github.event.inputs.enableReorg }}
GH_EVENT_INPUTS_ENABLE_CHAOS: ${{ github.event.inputs.enableChaos }}
run: |

# Always run upgrade tests
Expand Down Expand Up @@ -118,7 +129,7 @@ jobs:
EOF

# Run reorg tests if enabled
if [[ "${{ github.event.inputs.enableReorg }}" == 'true' ]]; then
if [[ "$GH_EVENT_INPUTS_ENABLE_REORG" == 'true' ]]; then
cat >> test_list.yaml <<EOF
- id: reorg/automation_reorg_test.go^TestAutomationReorg/registry_2_0
test_env_vars:
Expand All @@ -143,7 +154,7 @@ jobs:
fi

# Run chaos tests if enabled
if [[ "${{ github.event.inputs.enableChaos }}" == 'true' ]]; then
if [[ "$GH_EVENT_INPUTS_ENABLE_CHAOS" == 'true' ]]; then
cat >> test_list.yaml <<EOF
- id: chaos/automation_chaos_test.go
test_env_vars:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/bash-scripts.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: bash-scripts
with:
Expand All @@ -26,6 +28,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
- name: Run ShellCheck
if: needs.changes.outputs.bash-scripts-src == 'true'
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
Expand Down
20 changes: 14 additions & 6 deletions .github/workflows/build-publish-develop-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,27 +38,33 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
ref: ${{ env.CHECKOUT_REF }}

- name: Get image tag
id: get-image-tag
env:
GH_EVENT_NAME: ${{ github.event_name }}
GH_EVENT_NUMBER: ${{ github.event.number }}
GH_INPUTS_BUILD_PUBLISH: ${{ inputs.build-publish }}
LABEL_HAS_BUILD_PUBLISH: ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }}
run: |
short_sha=$(git rev-parse --short HEAD)
echo "release-type=snapshot" | tee -a $GITHUB_OUTPUT
if [[ ${{ github.event_name }} == 'push' ]]; then
if [[ $GH_EVENT_NAME == 'push' ]]; then
echo "image-tag=develop" | tee -a $GITHUB_OUTPUT
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
elif [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
elif [[ $GH_EVENT_NAME == 'workflow_dispatch' ]]; then
echo "image-tag=${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ "${{ inputs.build-publish }}" == 'false' ]]; then
if [[ "$GH_INPUTS_BUILD_PUBLISH" == 'false' ]]; then
echo "release-type=snapshot" | tee -a $GITHUB_OUTPUT
else
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
fi
else
if [[ ${{ github.event_name }} == "pull_request" ]]; then
echo "image-tag=pr-${{ github.event.number }}-${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }} == "true" ]]; then
if [[ $GH_EVENT_NAME == "pull_request" ]]; then
echo "image-tag=pr-${GH_EVENT_NUMBER}-${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ $LABEL_HAS_BUILD_PUBLISH == "true" ]]; then
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
fi
fi
Expand Down Expand Up @@ -86,6 +92,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
ref: ${{ env.CHECKOUT_REF }}
fetch-depth: 0

Expand Down Expand Up @@ -124,6 +131,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
ref: ${{ env.CHECKOUT_REF }}

- name: Configure aws credentials
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/build-publish-goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
Comment on lines +18 to +19
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to do this by default so that we don't have to spam it around everywhere? (and remember to add it in the future for new workflows?)

- name: Check for VERSION file bump on tags
# Avoids checking VERSION file bump on forks.
if: ${{ github.repository == 'smartcontractkit/chainlink' }}
Expand All @@ -38,6 +40,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- name: Configure aws credentials
Expand Down Expand Up @@ -96,6 +99,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- name: Configure aws credentials
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/build-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Check git tag type
id: check-git-tag-type
shell: bash
Expand Down Expand Up @@ -67,6 +69,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false

- name: Build, sign and publish chainlink image
id: build-sign-publish
Expand Down Expand Up @@ -99,6 +103,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Notify Slack
uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # [email protected]
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/chain-selectors-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout Repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/changeset.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
Expand Down Expand Up @@ -95,6 +96,7 @@ jobs:
- name: Checkout .Github repository
uses: actions/[email protected]
with:
persist-credentials: false
repository: smartcontractkit/.github
ref: 9aed33e5298471f20a3d630d711b96ae5538728c # [email protected]
path: ./dot_github
Expand Down Expand Up @@ -170,6 +172,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/changesets-preview-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false

- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: change
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/ci-core-partial.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
repository: smartcontractkit/chainlink
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: match-some
Expand Down Expand Up @@ -59,6 +60,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup NodeJS
uses: ./.github/actions/setup-nodejs
Expand Down Expand Up @@ -134,6 +137,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
# fetches all history for all tags and branches to provide more metadata for sonar reports
fetch-depth: 0

Expand Down Expand Up @@ -191,6 +195,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down Expand Up @@ -235,6 +241,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
17 changes: 15 additions & 2 deletions .github/workflows/ci-core.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
repository: smartcontractkit/chainlink
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: match-some
Expand Down Expand Up @@ -106,6 +107,8 @@ jobs:
needs: [filter, run-frequency]
steps:
- uses: actions/[email protected]
with:
persist-credentials: false
- name: Golang Lint
uses: ./.github/actions/golangci-lint
if: ${{ needs.filter.outputs.should-run-golangci == 'true' }}
Expand Down Expand Up @@ -152,6 +155,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Change Modtime of Files (cache optimization)
shell: bash
Expand All @@ -174,8 +179,10 @@ jobs:

- name: Replace chainlink-evm deps
if: ${{ needs.filter.outputs.should-run-ci-core == 'true' && inputs.evm-ref != ''}}
env:
GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }}
shell: bash
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@${{ inputs.evm-ref }}
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@$GH_INPUTS_EVM_REF

- name: Setup Solana
if: ${{ needs.filter.outputs.should-run-ci-core == 'true' }}
Expand Down Expand Up @@ -298,6 +305,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup node
uses: actions/[email protected]
Expand All @@ -321,8 +330,10 @@ jobs:

- name: Replace chainlink-evm deps
if: ${{ github.event_name == 'workflow_dispatch' && inputs.evm-ref != ''}}
env:
GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }}
shell: bash
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@${{ inputs.evm-ref }}
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@$GH_INPUTS_EVM_REF

- name: Build binary
run: go build -o chainlink.test .
Expand Down Expand Up @@ -382,6 +393,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0 # fetches all history for all tags and branches to provide more metadata for sonar reports

- name: Download all workflow run artifacts
Expand Down Expand Up @@ -502,6 +514,7 @@ jobs:
exit 0
- uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0
- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
Loading
Loading