Open Bug 1962259 Opened 21 days ago Updated 8 days ago

Assess use of external actions php-actions/composer and pressidium/lftp-mirror-action in Mozilla's GitHub organization mozilla

Categories

(mozilla.org :: Github: Administration, task)

Product:
mozilla.org
Component:
Github: Administration
Type:
task

Tracking

(Not tracked)

People

(Reporter: pmac, Unassigned)

Details

I want to use the "php-actions/composer@v6" and "pressidium/lftp-mirror-action@v1" Actions in the mozilla org for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
(Note: This mainly applies to applications. Actions are approved for entire GitHub orgs, though having this info can help security with their analysis)
mozilla/mozilla-new-products-wp

** Are any of those repositories private?
No

** Provide link to vendor's description of permissions needed and why, or general documentation link for either the app or action
https://github.com/marketplace/actions/composer-php-actions - Installs composer dependencies
https://github.com/marketplace/actions/lftp-mirror-action - uses SFTP to mirror files to a server. Used for deployment of the Wordpress template in the above repo.

** If an app - please provide the Install link
N/A

NOTE

Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.

Summary: Assess use of external addon NAME_HERE in Mozilla's GitHub organization ORG_NAME_HERE → Assess use of external actions php-actions/composer and pressidium/lftp-mirror-action in Mozilla's GitHub organization mozilla

This is a public repo - but given that actions are enabled across entire orgs, it needs security review.

Clovis/Sandeep - please let us know your thoughts and if you need any more information.

Flags: needinfo?(sseehra)
Flags: needinfo?(cfoji)

Note: Another repo that needs/uses these actions was just transferred, and is also public.

https://github.com/mozilla/mozilla-builders-wp/

(In reply to Paul [:pmac] McLanahan from comment #0)

I want to use the "php-actions/composer@v6" and "pressidium/lftp-mirror-action@v1" Actions in the mozilla org for the following reasons:

Below are my answers to your stock questions:

** Which repositories do you want to have access? (all or list)
(Note: This mainly applies to applications. Actions are approved for entire GitHub orgs, though having this info can help security with their analysis)
mozilla/mozilla-new-products-wp

** Are any of those repositories private?
No

** Provide link to vendor's description of permissions needed and why, or general documentation link for either the app or action
https://github.com/marketplace/actions/composer-php-actions - Installs composer dependencies
https://github.com/marketplace/actions/lftp-mirror-action - uses SFTP to mirror files to a server. Used for deployment of the Wordpress template in the above repo.

** If an app - please provide the Install link
N/A

NOTE

Think of this as you would any 3rd party source inclusion into a shipping product, including all the considerations here.

@Paul are you looking to use a specific version? e.g. 6.1.2, 6.1.1, etc? Or do you prefer that we do all sub-versions of v6? Since actions are approved for all repos in the org, are preference is to limit the version as much as possible, for security best practices.

As for "lftp-mirror-action", this is approved for v1.

Flags: needinfo?(sseehra) → needinfo?(pmac)

I think pinning to the most recent version would be fine. This site was developed by a contractor so I'm checking with them, but I don't see why it wouldn't be fine. Thanks for the help!

Flags: needinfo?(pmac)

looking at the repos involved, they're using php-actions/composer@v6 and pressidium/lftp-mirror-action@v1 - which is what the contractor was doing before we got the repos transferred into Mozilla.

Flags: needinfo?(sseehra)

(In reply to Chris Knowles [:cknowles] from comment #5)

looking at the repos involved, they're using php-actions/composer@v6 and pressidium/lftp-mirror-action@v1 - which is what the contractor was doing before we got the repos transferred into Mozilla.

I am approving php-actions/composer@v6 and pressidium/lftp-mirror-action@v1 in mozilla org.

Flags: needinfo?(sseehra)

I've added those to the mozilla org allowed actions.

:sseehra - are you planning on adding these to the approved list?

Flags: needinfo?(sseehra)

(In reply to Chris Knowles [:cknowles] from comment #7)

I've added those to the mozilla org allowed actions.

:sseehra - are you planning on adding these to the approved list?

I'll work with Clovis to add those in shortly.

Flags: needinfo?(sseehra)
Flags: needinfo?(cfoji)
You need to log in before you can comment on or make changes to this bug.