Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion on how to prevent the leakage of repository secrets. #364

Open
yanguoyu opened this issue Mar 4, 2024 · 2 comments
Open

Discussion on how to prevent the leakage of repository secrets. #364

yanguoyu opened this issue Mar 4, 2024 · 2 comments
Assignees
@Keith-CY @homura @devchenyan @yanguoyu
Labels
enhancement New feature or request

Comments

@yanguoyu
Copy link

yanguoyu commented Mar 4, 2024

Recently, due to the malicious execution of workflows in the Neuron repository, repository secrets may have been leaked.

There are some issues that we need to discuss.

  1. Is signing required for the test package?
  2. How about skipping packaging when triggered by a comment but the user is not a member of the repo?

Are there any alternative solutions that can better prevent secrets from being leaked?
@yanguoyu yanguoyu added the enhancement New feature or request label Mar 4, 2024
@yanguoyu
Copy link
Author

yanguoyu commented Mar 5, 2024
edited
Loading

To minimize secret usage, we will only use secrets on the master and RC branches. And we will set the package_for_test workflow and add permission for the GITHUB_TOKEN.

Here is the permission doc: https://docs.github.com/zh/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions

I will set the permission like this:

jobs:
  packaging:
      permissions:
        contents: read
      ...
  comment_when_package_success:
    permissions:
      pull-requests: write
      // contents write permission for write comment for commit
      contents: write 
      ...
  comment_when_package_failed:
    permissions:
      pull-requests: write
      ...

@Keith-CY Keith-CY mentioned this issue Mar 5, 2024
Merged
@yanguoyu
Copy link
Author

yanguoyu commented Mar 8, 2024

To minimize packaging permission, I will also judge whether the PR comment creator is the current repo's owner or member.

@yanguoyu yanguoyu mentioned this issue Mar 8, 2024
Merged
@github-actions github-actions bot mentioned this issue Mar 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Keith-CY Keith-CY

@homura homura

@devchenyan devchenyan

@yanguoyu yanguoyu

Labels
enhancement New feature or request
Projects
Neuron
Status: ✅ Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Keith-CY @homura @devchenyan @yanguoyu