有没有办法强制 Github 操作在来自分支的拉取请求触发器中使用主分支工作流文件?
[英]Is there a way to force Github actions use main branch workflow files in a pull request trigger from a fork?
问题描述
I have a question using github actions with a fork model.
我有一个使用 github 动作和叉子 model 的问题。
I work with a fork model, where forked repository needs to be checked by CI workflows in a pull requests from the fork back to base repository .我使用 fork model,其中分叉的存储库需要通过 CI 工作流在从 fork 返回到基本存储库的拉取请求中进行检查。 The CI workflows needs some secret from the base repository. CI 工作流需要来自基本存储库的一些秘密。
Current setup:当前设置:
Base Repository/main branch/.github/workflows/correct workflow files.
Base Repository/main branch/.github/workflows/正确的工作流文件。Forked Repository/main branch/.github/workflows/maliciously modified files to reveal secrets.
分叉存储库/主分支/.github/workflows/恶意修改文件以泄露秘密。Action settings in base repository:
基本存储库中的操作设置:- Run workflows from fork pull requests [yes]从分叉拉取请求运行工作流程 [是]
- Send write tokens to workflows from fork pull requests [no]从分叉拉取请求将写入令牌发送到工作流 [否]
- Send secrets to workflows form fork pull requests [yes]从分叉拉取请求中向工作流发送机密 [是]
- Run workflows from fork pull requests [yes]
Observed Behaviors/Q:观察到的行为/Q:
- I can create a pull request from forked main branch -> base main branch我可以从分叉的主分支创建拉取请求 -> 基础主分支
- The request triggers workflow runs, using files from the FORKED repository.请求触发工作流运行,使用来自 FORKED 存储库的文件。 This is a problem because someone can fork the branch and add workflow to reveal secrets.这是一个问题,因为有人可以分叉分支并添加工作流来揭示秘密。
- The
aws-actions/configure-aws-credentialsinside a workflow can log in with AWS.工作流中的aws-actions/configure-aws-credentials可以使用 AWS 登录。 This is a problem because this action requirespermissions: id-token: write.这是一个问题,因为此操作需要permissions: id-token: write。 From what I understand, pull requests from forks should not grant any write permissions to workflows.据我了解,来自分叉的拉取请求不应授予工作流任何写入权限。 I am concerned about security here as well.我也担心这里的安全。
Hopeful behavior:希望的行为:
What I want to achieve is, still allowing pull requests from forked repos to trigger CI workflows, but using files from the base repo instead of the forked repo.我想要实现的是,仍然允许来自分叉存储库的拉取请求来触发 CI 工作流,但使用来自基本存储库的文件而不是分叉存储库。 Is this possible in anyways?无论如何这可能吗? If not, any remedies?如果没有,有什么补救措施吗?
Also want to check my understanding about the supposedly read only permission granted to forked pull requests.还想检查我对授予分叉拉取请求的所谓只读权限的理解。 Why the id-token:write permission seems to work?为什么id-token:write权限似乎有效? Is it true that the explicit permission declaration in workflow files can override the fork pull request limitation?工作流文件中的显式权限声明是否可以覆盖分叉拉取请求限制?
Apologize if I misunderstand important concepts, first time workflow user.如果我误解了重要概念,第一次使用工作流用户,请道歉。
Reference: prevent PWN attacks参考: 防止PWN攻击
1 个解决方案
解决方案1
0 2022-09-01 02:47:30
I'm unable to provide a solution to protect general credentials, however I can propose a workaround for AWS-specific credentials.我无法提供保护通用凭证的解决方案,但是我可以针对 AWS 特定凭证提出解决方法。
OpenID Connect
You can create an IAM role that OpenID enabled, and trust github action assume it.您可以创建一个启用 OpenID 的 IAM 角色,并trust github 操作承担它。 This was accomplished by a variety of our github actions.这是通过我们的各种 github 操作完成的。
You can find more detail in github's docs.您可以在 github 的文档中找到更多详细信息。
https://docs.github.com/cn/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services https://docs.github.com/cn/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.