[英]Is there a way to force Github actions use main branch workflow files in a pull request trigger from a fork?
I have a question using github actions with a fork model.我有一个使用 github 动作和叉子 model 的问题。
I work with a fork model, where forked repository needs to be checked by CI workflows in a pull requests from the fork back to base repository .我使用 fork model,其中分叉的存储库需要通过 CI 工作流在从 fork 返回到基本存储库的拉取请求中进行检查。 The CI workflows needs some secret from the base repository. CI 工作流需要来自基本存储库的一些秘密。
Current setup:当前设置:
Base Repository/main branch/.github/workflows/correct workflow files. Base Repository/main branch/.github/workflows/正确的工作流文件。
Forked Repository/main branch/.github/workflows/maliciously modified files to reveal secrets.分叉存储库/主分支/.github/workflows/恶意修改文件以泄露秘密。
Action settings in base repository:基本存储库中的操作设置:
Observed Behaviors/Q:观察到的行为/Q:
aws-actions/configure-aws-credentials
inside a workflow can log in with AWS.工作流中的aws-actions/configure-aws-credentials
可以使用 AWS 登录。 This is a problem because this action requires permissions: id-token: write
.这是一个问题,因为此操作需要permissions: id-token: write
。 From what I understand, pull requests from forks should not grant any write permissions to workflows.据我了解,来自分叉的拉取请求不应授予工作流任何写入权限。 I am concerned about security here as well.我也担心这里的安全。Hopeful behavior:希望的行为:
What I want to achieve is, still allowing pull requests from forked repos to trigger CI workflows, but using files from the base repo instead of the forked repo.我想要实现的是,仍然允许来自分叉存储库的拉取请求来触发 CI 工作流,但使用来自基本存储库的文件而不是分叉存储库。 Is this possible in anyways?无论如何这可能吗? If not, any remedies?如果没有,有什么补救措施吗?
Also want to check my understanding about the supposedly read only permission granted to forked pull requests.还想检查我对授予分叉拉取请求的所谓只读权限的理解。 Why the id-token:write
permission seems to work?为什么id-token:write
权限似乎有效? Is it true that the explicit permission declaration in workflow files can override the fork pull request limitation?工作流文件中的显式权限声明是否可以覆盖分叉拉取请求限制?
Apologize if I misunderstand important concepts, first time workflow user.如果我误解了重要概念,第一次使用工作流用户,请道歉。
Reference: prevent PWN attacks参考: 防止PWN攻击
I'm unable to provide a solution to protect general credentials, however I can propose a workaround for AWS-specific credentials.我无法提供保护通用凭证的解决方案,但是我可以针对 AWS 特定凭证提出解决方法。
OpenID Connect
You can create an IAM role that OpenID enabled, and trust
github action assume it.您可以创建一个启用 OpenID 的 IAM 角色,并trust
github 操作承担它。 This was accomplished by a variety of our github actions.这是通过我们的各种 github 操作完成的。
You can find more detail in github's docs.您可以在 github 的文档中找到更多详细信息。
https://docs.github.com/cn/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services https://docs.github.com/cn/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.