Closed Bug 1749718 Opened 4 years ago Closed 2 years ago

Assess use of GitHub-developed octokit/request-action in Mozilla's GitHub organization

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: Vincent, Unassigned)

Details

Steps to reproduce:

I would like to use the octokit/request-action Action in mozilla for the following reasons:

I want to link to the test builds of our add-on in pull requests, to make it easier for QA and localisation teams to test new translations, bug fixes and features as quickly as possible.

Of note is that this Action is developed by GitHub itself, albeit not in the actions group, but in the octokit one, containing "Official clients for the GitHub API".

** Which repositories do you want to have access? (all or list)
https://github.com/mozilla/fx-private-relay-add-on/

** Are any of those repositories private?
no

** Provide link to vendor's description of permissions needed and why
The action uses the built-in GITHUB_TOKEN environment variable available to GitHub Actions.

** Provide the Install link for a GitHub app
https://github.com/octokit/request-action

Type: enhancement → task

While I'm 90% certain, being a github produced action, this will get the thumbs up from secops, per the runbooks, it's not already around, so forwarding for the official thumbs up and adding the lists of approved actions if appropriate.

Hal, let us know. Thanks.

Flags: needinfo?(hwine)

I did manage to work around this for now by using https://github.com/actions/github-script, but for people who don't know JavaScript, using the purpose-built Action could still be useful. (And presumably everything in the octokit organisation?)

Glad you found a workaround, as this approval will take deeper investigation. (I do think the no-JS-knowledge-needed makes this a good reason.)

There is a current issue with how the GitHub issued tokens can be misused. I think this action is subject to that misuse. I'll need to verify that, and that the mitigation is effective, before approving.

NOTE: there's a chance that the github-script action may also be impacted. I'll try to let you know in advance of any changes, so you can verify any impact.

As for adding all octokit actions to the allow list, no. I'm assuming GitHub would have included octokit in the list of orgs of "GitHub written actions" if they wanted to. My belief is that code in octokit is intended as examples, and not fully vetted by GitHub for security.

leaving NI set on myself for futher action.

Sounds good, thanks!

No subsequent request for this, so I am inferring no business need and closing.

N.B.: no further analysis as mentioned in comment 3 has been done. Any new request needs a new analysis.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(hwine)
QA Contact: cknowles
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.