英文:
GitHub Actions requiring secrets on a fork-origin PR
问题
以下是翻译好的部分:
我们在组织的GitHub仓库中有一个函数代码,应该编译并部署到AWS Lambda函数中,并产生预期的输出。我们正在尝试将其作为CI/CD流水线中的集成测试来实现,使用GitHub Actions。我们希望此操作在创建新PR时运行,以确保包含的代码更改不会导致任何回归测试失败。
GitHub操作的预期运行方式如下:
- 使用
aws-actions/configure-aws-credentials来假定在幕后由OIDC连接器支持的角色,其中ROLE_ARN作为密钥传递。 - 构建代码并使用最新代码更新AWS Lambda函数。
- 调用Lambda函数。
- 将第3步的输出与预定的预期输出进行比较。
- 根据第4步中的比较结果通过或失败集成测试。
(理想情况下,我们还希望在每次执行时扩展此操作,创建一个具有自动生成名称的新Lambda函数,并在执行完成后清理它,但这与问题陈述无关。)
我们知道GitHub的最佳实践建议组织机密不应在分支PR上共享,因为这会打开坏演员使用脚本注入攻击的可能性。 (参考 - GitHub Actions的安全强化) 即使我们设置一个操作,这些机密也不会在分支的PR工作流中初始化。
因此,我们需要知道如何推荐的方式来实现我们在这里尝试实现的等效功能?因为这可能是社区最常见的用例之一。
我们还尝试查看环境机密是否与仓库机密有所不同,但结果表明,对于分支PR,没有任何机密(包括环境机密)会传递。
为什么我们不能有一个需要手动批准的工作流程(类似于环境),其中批准人首先会确保GitHub操作工作流程没有更改以执行危险操作(如注入),然后才运行集成测试?
更新3/6: 原来除了传递机密之外,分支PR还有另一个不利之处,id-token的权限不能设置为write,最多只能设置为read。 (参考 - 自动令牌身份验证)
英文:
We have a function code in our organization's GitHub repository that is supposed to get compiled and deployed in an AWS Lambda Function and give emit an expected output. We are trying to implement this as an integration test in CI/CD pipeline using GitHub actions. We want this action to run each time a new PR is created to ensure that included code changes do not lead to any regression test failures.
This is how the GitHub action is expected to run:
- Use
aws-actions/configure-aws-credentialsto assume a role backed by OIDC connector behind the scenes, whereROLE_ARNis passed as a secret. - Build code and update the AWS Lambda Function with the latest code
- Invoke Lambda Function
- Compare output from Step 3 with a pre-determined expected output
- Pass or fail the integration test based on comparison in Step 4
(Ideally, we would want to extend this to also create a new Lambda function with auto-generated name on every execution and clean it up after the execution is complete, but that's not relevant to the problem statement.)
We are aware that GitHub best practices recommend that organization secrets should not be shared on a forked PR as it opens up possibility of threats by bad actors using script injection attack. (Reference - Security hardening for GitHub Actions) Even if we set up an action, the secrets are not initialized in a fork-origin PR workflow.
We need to know, then, what are the recommended ways to implement the equivalent of what we are trying to achieve here? Since this might be one of the most common use cases encountered by the community.
We also tried seeing if environment secrets behave differently than repository secrets, but turns out for a fork-origin PR none of the secrets (including env secrets) get passed.
Why can't we have a manual approval-backed workflow (similar to environments) where an approver will first ensure if the corresponding GitHub action workflow isn't changed for dangerous actions (like an injection) and only then run the integration test?
Update 3/6: Turns out there is another downside with the fork-origin PRs apart from just passing secrets, the permission for id-token cannot be set to write, the most it could be set to is read. (Reference - Automatic token authentication)
答案1
得分: 1
如果您正在使用具有派生库的私有存储库,您可以启用选项 "从拉取请求发送写入令牌到工作流",允许来自派生的拉取请求使用具有写入权限的GITHUB_TOKEN。如果您的组织尚未这样做,可能需要集中启用此功能以允许使用。
您还应该 "要求批准派生拉取请求工作流",以确保协作者没有写入权限的拉取请求上运行的工作流在运行之前需要由具有写入权限的人员进行审查和批准。
英文:
If you are using private repositories with forks, you can enable the option to "Send write tokens to workflows from pull requests" which allows pull requests from forks to use a GITHUB_TOKEN with write permission. Your organization might need to enable this centrally to allow usage if they have not done so yet.
You should also "Require approval for fork pull request workflows" to ensure workflow runs on pull requests from collaborators without write permission will be reviewed and approved from someone with write permission before they run.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论