Permit actions-rs GitHub Actions
Categories
(mozilla.org :: Github: Administration, task)
Tracking
(Not tracked)
People
(Reporter: mt, Unassigned)
References
()
Details
I just learned that while we enable GitHub Actions on the @mozilla org on GitHub, the set of actions that are allowed are quite narrow[1]. This is good, but I have a request to allow actions from @actions-rs. Specifically the actions-rs/toolchain action, which manages the installation of rust toolchains. I've also found actions-rs/cargo to be useful, but it is not critical.
It's possible to re-implement all of this manually, but it's fiddly to get right and a maintenance burden thereafter.
Is it possible to add actions-rs/* or actions-rs/toolchain to the allowlist for the org? We would use these for the mozilla/neqo project if they were available. I've looked at the code and it is unremarkable. It could be better[2], but it appears to be well written and is actively maintained and widely used.
Thanks,
Martin
[1] "Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub or match the following: !/mozilla/**, !mozilla/**, ./**, aws-actions/*, docker/*, pypa/gh-action-pypi-publish@v1.4.2
."
[2] They rely on https exclusively to ensure that packages are authentic. They could use sha256sum and specific versions, but that might make it harder for rustup patches to get deployed. This is a tradeoff that I might taken a different decision on, but their is a defensible choice.
Comment 1•3 years ago
|
||
NI'ing :ajvb who's subbing in for Hal on secops behalf.
AJ, if you need anything from GH owners, let me know.
Comment 2•3 years ago
|
||
:cknowles - Do we have the ability to add actions-rs/toolchain
to the allowlist for this specific repo? Or is there only a GH org-wide allowlist?
Comment 4•3 years ago
|
||
:mt - Currently, the recommended course of action is to either fork the actions-rs/toolchain
into the mozilla org or to pull it into your repo.
Reporter | ||
Comment 5•3 years ago
|
||
I look into doing that. Though in this case, it's probably easier to just run the installer commands directly.
Can you say more about the policy that you are applying here? Is there some documentation I might reference?
Reporter | ||
Comment 6•3 years ago
|
||
One other request, can someone with the admin bits visit https://app.circleci.com/settings/project/github/mozilla/neqo and hit the "Stop Building" button?
Comment 7•3 years ago
|
||
unfortunately there are security implications to my logging into that with the GH owner bits set (to wit, it would give circleci read/write access to every repo in every org, and I don't see a way to limit the blast radius.) --- I have to refer to secops. :ajvb - any guidance here?
I did try temporarily disabling github actions from the GH side, but that probably won't stop ongoing activities on the circleci side. (Ping me on slack or here, and I can re-enable actions on this repo)
Barring that, the admin of that particular repo can probably help. But I see that's you. Can you not disable the circleci actions?
Comment 8•3 years ago
|
||
(In reply to Martin Thomson [:mt:] from comment #5)
I look into doing that. Though in this case, it's probably easier to just run the installer commands directly.
Can you say more about the policy that you are applying here? Is there some documentation I might reference?
Yeah, so the main concern here is that Github Actions from untrusted sources can allow for all sorts of nefarious actions. As well, there are not a lot of good means for monitoring the continuous security state of an action. We would like to invest more in this in the future, but have not been able to yet. Until that story is improved, we've taken the stance of not allowing Github Actions unless there is both a particularly high need and high trust with the owning org.
AIUI, there is not a lot of documentation at the moment. https://wiki.mozilla.org/GitHub#GitHub_Actions is where you'd want to look typically, but as of now it essentially says: "please talk to security", which isn't very helpful.
(In reply to Martin Thomson [:mt:] from comment #6)
One other request, can someone with the admin bits visit https://app.circleci.com/settings/project/github/mozilla/neqo and hit the "Stop Building" button?
As :cknowles said, you should be able to disable this as an admin of the repo. Is that not the case?
Reporter | ||
Comment 9•3 years ago
|
||
(Thanks for the context; that all makes sense.)
I have the admin bits on GitHub, but apparently that doesn't work for Circle: "You must have admin access to stop building this project." And mashing the button anyway had no effect :)
Reporter | ||
Comment 10•3 years ago
|
||
I think that we can close this. I had to re-implement the actions, which was unpleasant, but I think that the outcome is acceptable. And I had a brief chat with :cknowles and we worked out something that will at least disable the circleci bits.
Description
•