Closed Bug 1730873 Opened 3 years ago Closed 3 years ago

Permit actions-rs GitHub Actions

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mt, Unassigned)

References

(
URL
)

Details

I just learned that while we enable GitHub Actions on the @mozilla org on GitHub, the set of actions that are allowed are quite narrow[1]. This is good, but I have a request to allow actions from @actions-rs. Specifically the actions-rs/toolchain action, which manages the installation of rust toolchains. I've also found actions-rs/cargo to be useful, but it is not critical.

It's possible to re-implement all of this manually, but it's fiddly to get right and a maintenance burden thereafter.

Is it possible to add actions-rs/* or actions-rs/toolchain to the allowlist for the org? We would use these for the mozilla/neqo project if they were available. I've looked at the code and it is unremarkable. It could be better[2], but it appears to be well written and is actively maintained and widely used.

Thanks,
Martin

[1] "Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub or match the following: !/mozilla/**, !mozilla/**, ./**, aws-actions/*, docker/*, pypa/gh-action-pypi-publish@v1.4.2."
[2] They rely on https exclusively to ensure that packages are authentic. They could use sha256sum and specific versions, but that might make it harder for rustup patches to get deployed. This is a tradeoff that I might taken a different decision on, but their is a defensible choice.

NI'ing :ajvb who's subbing in for Hal on secops behalf.

AJ, if you need anything from GH owners, let me know.

Flags: needinfo?(abahnken)

:cknowles - Do we have the ability to add actions-rs/toolchain to the allowlist for this specific repo? Or is there only a GH org-wide allowlist?

Flags: needinfo?(abahnken) → needinfo?(cknowles)

The allow list is org-wide.

Flags: needinfo?(cknowles)

:mt - Currently, the recommended course of action is to either fork the actions-rs/toolchain into the mozilla org or to pull it into your repo.

I look into doing that. Though in this case, it's probably easier to just run the installer commands directly.

Can you say more about the policy that you are applying here? Is there some documentation I might reference?

Flags: needinfo?(abahnken)

One other request, can someone with the admin bits visit https://app.circleci.com/settings/project/github/mozilla/neqo and hit the "Stop Building" button?

unfortunately there are security implications to my logging into that with the GH owner bits set (to wit, it would give circleci read/write access to every repo in every org, and I don't see a way to limit the blast radius.) --- I have to refer to secops. :ajvb - any guidance here?

I did try temporarily disabling github actions from the GH side, but that probably won't stop ongoing activities on the circleci side. (Ping me on slack or here, and I can re-enable actions on this repo)

Barring that, the admin of that particular repo can probably help. But I see that's you. Can you not disable the circleci actions?

(In reply to Martin Thomson [:mt:] from comment #5)

I look into doing that. Though in this case, it's probably easier to just run the installer commands directly.

Can you say more about the policy that you are applying here? Is there some documentation I might reference?

Yeah, so the main concern here is that Github Actions from untrusted sources can allow for all sorts of nefarious actions. As well, there are not a lot of good means for monitoring the continuous security state of an action. We would like to invest more in this in the future, but have not been able to yet. Until that story is improved, we've taken the stance of not allowing Github Actions unless there is both a particularly high need and high trust with the owning org.

AIUI, there is not a lot of documentation at the moment. https://wiki.mozilla.org/GitHub#GitHub_Actions is where you'd want to look typically, but as of now it essentially says: "please talk to security", which isn't very helpful.

(In reply to Martin Thomson [:mt:] from comment #6)

One other request, can someone with the admin bits visit https://app.circleci.com/settings/project/github/mozilla/neqo and hit the "Stop Building" button?

As :cknowles said, you should be able to disable this as an admin of the repo. Is that not the case?

Flags: needinfo?(abahnken)

(Thanks for the context; that all makes sense.)

I have the admin bits on GitHub, but apparently that doesn't work for Circle: "You must have admin access to stop building this project." And mashing the button anyway had no effect :)

I think that we can close this. I had to re-implement the actions, which was unpleasant, but I think that the outcome is acceptable. And I had a brief chat with :cknowles and we worked out something that will at least disable the circleci bits.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.