Apply Zizmor fixes to increase HcPkgPreReleaseGitops workflow security#214
Open
Exairnous wants to merge 1 commit into
Open
Apply Zizmor fixes to increase HcPkgPreReleaseGitops workflow security#214Exairnous wants to merge 1 commit into
Exairnous wants to merge 1 commit into
Conversation
What: prevents credentials from actions/checkout from persisting, and replaces direct use of the GitHub variables in the shell execution with indirect usage via shell variables. Why: to help minimize the chance of the workflow being hacked. According to Zizmor, filtering GitHub variables through environment variables prevents code injection via template expansion. Essentially, this should ensure an attacker can't manipulate data in GitHub to achieve remote code execution when the workflow is run.
Exairnous
added
the
Roadmap: Programming
62 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What?
Prevents credentials from actions/checkout from persisting, and replaces direct use of the GitHub variables in the shell execution with indirect usage via shell variables.
Why?
To help minimize the chance of the workflow being hacked.
According to Zizmor, filtering GitHub variables through environment variables prevents code injection via template expansion. Essentially, this should ensure an attacker can't manipulate data in GitHub to achieve remote code execution when the workflow is run.
Examples
N/A
How to test
DO NOT TEST THE WORKFLOW ITSELF. This workflow isn't currently used and running this workflow will overwrite branches.
To verify that all the Zizmor issues have been addressed, run the following command from the repository folder and see that Zizmor reports no issues for the HcPkgPreReleaseGitops workflow.
Documentation of functionality
This doesn't change the functionality of the workflow, so no documentation update is needed.
Known limitations
This doesn't limit the permissions. This workflow isn't currently used and running this workflow will overwrite branches, so there isn't a way to test what permissions it needs and it doesn't really matter at this point in time if it works or not (if we decide to start using the workflow, then we can figure out the permissions then). Since it is planned to globally restrict permissions for all Hubs Foundation workflows, there shouldn't be any risk to leaving the permissions as is.
This doesn't update any of the external workflow versions. I feel it is out of scope for this PR and can/should be done along with all the others in further PRs when addressing GitHub's required update to use Node 24+.
Alternative implementations considered
None.
Open questions
None.
Additional details or related context
This workflow is unused, so this update is merely out of an abundance of caution.
This workflow can be called from the hc-pkgcaller workflow in the Reticulum repository.
Part of Hubs-Foundation/.github#13