Closed Bug 1827707 Opened 2 years ago Closed 2 years ago

Assess use of external action codecov in the MozMeao GitHub organization mozmeao/basket

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: robhudson, Assigned: cknowles)

Details

I want to use the codecov addon in mozmeao for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)

basket

** Are any of those repositories private?

no

** Provide link to vendor's description of permissions needed and why

Unable find description of permissions, but since this is in the list of approved addons I assume it isn't needed.

https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/blob/main/New_Org_Default_settings.md

** Provide the Install link for a GitHub app

codecov/codecov-action@v3

The main concern with actions is that we don't limit actions per repo - so this potentially gets it into the whole org, which is why we're so particular about making sure it's OK.

So, the approved version is @v2 - And the request is for @v3 --- I assume that's OK, but I have to throw this past Secops.

Austin - is @v3 acceptable, can we perhaps wildcard this action for future inclusions?

Flags: needinfo?(asargent)
Summary: Assess use of external addon codecov in Mozilla's GitHub organization mozmeao/basket → Assess use of external action codecov in Mozilla's GitHub organization mozmeao/basket

The list of approved actions in the mozilla org doesn't include the version. What I see there is:

!/mozilla/**,
!mozilla/**,
./**,
10up/wpcs-action@*,
EmbarkStudios/*,
actions-rs/toolchain@v1,
aws-actions/*,
canonical/actions/*,
canonical/setup-lxd@*,
codecov/codecov-action@*,
dependabot/fetch-metadata@*,
docker/*,
erlef/setup-beam@v1,
google-github-actions/*,
ilammy/msvc-dev-cmd@v1*,
pypa/gh-action-pypi-publish@v1.4.2,
shivammathur/setup-php@*,
slackapi/slack-github-action@*,
tj-actions/changed-files@*,
tj-actions/glob@*,
vmactions/freebsd-vm@v0,
yesolutions/mirror-action@*,

And we are currently using v3 of the codecov action in the bedrock project.

Yes, every org has it's own approved actions - the list from the https://github.com/MoCo-GHE-Admin/Approved-GHE-add-ons/blob/main/New_Org_Default_settings.md is the one that security has approved for anywhere. And they are including the version there.

And the bedrock repo is in the mozilla org, but the basket repo is in mozmeao - which can lead to this sort of disparity.

But mozmeao org doesn't have the action in there at all - so I can add @v2 right now, but you've requested @v3.

(Also, cleaned up the bug title to make it clear we're discussing mozmeao org)

Summary: Assess use of external action codecov in Mozilla's GitHub organization mozmeao/basket → Assess use of external action codecov in the MozMeao GitHub organization mozmeao/basket

In spelunking, in case it helps sec-folk - 1784913 is the bug where the codecov/codecov-action@* was allowed for mozilla org.

Approved for Mozmeao to use codecov/codecov-action@* and I also plan on updating that for the new org section as well so others can request it in the future.

Flags: needinfo?(asargent)

Alright, that's been added to mozmeao. Thank you.

Let us know if any problems persist.

Assignee: nobody → cknowles
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Thanks all!

:robhudson - over in bug 1784913 you crossposted an item around codecov wanting you to install the app for codecov rather than use the legacy oauth app. (and then stated that the comment was intended for this bug, so I'm responding here to keep things in their lanes.)

Couple things, I don't actually see the codecov oauth app in the mozmeao org, so I'm not sure why it's thinking you're using it there.
And if you want the github App installed, from the link you're looking at https://github.com/apps/codecov - you can go to its marketplace page and request the install from there - if needing an owner of the org, we'll get an email about the request from GitHub and we'll open bugs for approval etc.

Let me know if you have questions, or if I missed the mark.

Flags: needinfo?(robhudson)

(And I should have said, please request only those repos you NEED the app to access - but we'll cover that in the ensuing bug.)

Thanks for the extra context. This is what I needed to know. I didn't see a step on how to limit the request to a particular repo, so apologies if it requested for all repos in the org.

Flags: needinfo?(robhudson)

Yeah, the installs can be ... different. It's fine, we can adjust when we approve.

You need to log in before you can comment on or make changes to this bug.