github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-17 14:06:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
438 Commits 40 Branches 45 Tags
f0fedec1ddea913a67c24e4e25b2b7cebcacc901
Commit Graph

3 Commits

Author SHA1 Message Date
Ramon Petgrave
18c5f13b3e fix: signoff commit (#767) 
Followup to https://github.com/slsa-framework/slsa-verifier/pull/760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against #717, and it
did signoff the commit.
-
9670f76ab8

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 16:45:20 +00:00
Ramon Petgrave
b55bf59ce4 fix: use pr_number as env variable (#771) 
changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
https://github.com/actions/runner/issues/1070#issuecomment-2113287699

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-22 12:20:16 -04:00
Ramon Petgrave
23160d82c0 feat: workflow to update actions dist (#760) 
Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
 2024-05-06 17:56:35 -04:00