Think about security threat model for the GH API token more

Question

Think about security threat model for the GH API token more

KrauseFx opened this issue 6 years ago · 5 comments

If we build external PRs, a malicious actor can submit a PR to a repo which replaces the test scripts to just print out all ENV variables, and therefore get access to secrets like the GitHub API token

We can build only PRs from local branches
The GH token has such limited access, that it can only set the build status

Other approaches?

Answer 1 · 2018-07-13T16:30:35.000Z

Also described here

Pretty much every major open source project out there (at least in the JavaScript/Node community) will have automated CI that runs on pull requests.

This CI is just there to run your tests, and it provides a nice feedback loop to contributors, but since it runs automatically the second a pull request is opened, you need to be careful what that CI process has access to.

Many users of npm (including lots of major open source projects) chose to use Continuous Deployment systems to automatically publish new versions of their npm packages as things get merged into their master branch. Most of the time, this is done in the same CI system as tests.

In order to publish to npm, you need to have a "token" (something to tell npm that you are authenticated). And in order to publish to npm automatically in CI, you need to put this token into your environment variables.

Most of the time, people configure these environment variables in such a way that both your "master" build and your "pull request/branch" build get the same environment variables.

This means that simply by opening a pull request into the right repo, you can gain authorization to publish packages.

Cool.

via https://jamie.build/how-to-build-an-npm-worm

Answer 2 · 2018-07-23T18:31:17.000Z

This is a tough one. Running local branches seems like a huge limitation on what is tested. This could be avoided by using the master Fastfile at all times, but this has its own cons.

Answer 3 · 2018-07-23T18:44:16.000Z

Running just local branches instead of external PRs for open source projects is the most common setup across the available CI systems (e.g. Travis and Circle), however I'd love to find a better solution

Answer 4 · 2018-08-07T18:14:56.000Z

Aaaaand, the next one got affected https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab

Answer 5 · 2018-09-13T15:43:39.000Z

We decided to pause our work on fastlane.ci to focus on the core fastlane product as we have a lot on the roadmap. You can find more information on the main GitHub page. This issue will be auto-closed 👍