Malicious workflow manipulation
bzurkowski opened this issue · 4 comments
Describe the Issue
In the security section of the README there is the following statement:
The IssueOps + branch-deploy model is significantly more secure than a traditional "deploy on merge" or "run on commit" model. Let's reference the workflow trigger that the branch-deploy model uses (...)
Unlike the on: pull_request trigger, the on: issue_comment trigger only uses Actions workflow files from the default branch in GitHub. This means that a bad actor cannot open a PR with a malicious workflow edit and dump secrets, trigger bad deployments, or cause other issues. This means that any changes to the workflow files can be protected with branch protection rules to ensure only verified changes make it into your default branch.
What if a bad actor opens a PR with a custom workflow having a different trigger, e.g., on: pull_request, and executes abusive actions that skip the branch-deploy policy? Branch protection rules do not protect us in this case. Do you have any recommendations on how to secure the branch-deploy process against malicious workflow manipulation?
My concern is mainly related to the statement:
This means that a bad actor cannot open a PR with a malicious workflow edit and dump secrets, trigger bad deployments, or cause other issues
Perhaps, this matter requires more explanation. Thanks in advance for any guidance!
Action Configuration
No response
Relevant Actions Log Output
No response
Extra Information
No response
👋 Thanks for asking! I would first start by reading Managing GitHub Actions settings for a repository GitHub's official docs around Actions and locking down permissions.
It sounds like in your specific case, you do not want someone to open a PR and have a workflow execute on the on: pull_request trigger and do something malicious. I would suggest enabling the following setting on your repository to allow you to "approve" workflow runs before they execute. This only applies to forks but allows you to review the code being submitted before executing Actions workflows:
@GrantBirki I have been exploring the branch-deploy action for deploying Terraform configuration in GCP and came up with a potentially viable approach to securing the workflow.
Considering the attributes available in the OIDC token, it is possible to configure a Service Account binding in Workload Identity Federation to rely on the event_name attribute equal to issue_comment. The issue_comment trigger always uses the workflow configuration from the default branch, eliminating the risk of manipulating the workflow configuration (e.g., by changing the trigger to on: pull_request). This means that even if an attacker managed to manipulate the workflow on a feature branch, they would not be able to use the SA to apply infrastructure changes. The binding strictly requires the issue_comment event, which only references the workflow configurations from the default branch.
@bzurkowski That is my understanding and this is why the branch-deploy model is inherently more secure than using other workflow trigger types
All clear. Closing. Thanks!