>
>
> This is only sorry of correct. If you are using the standard checkout
> action and install a package from pypi/npm at a later step that package
> absolutely can push to the Apache repo when it runs in a push context (pr
> context it is read-only). This later step does not need the token passed to
> it.
>
Are you sure of that? Can you please double check it? If it is then
I think we need to immediately raise a critical security issue to GitHub.
My understanding was, that by default the github checkout action is
not authenticated at all (when you do not pass the token). Authentication
is not needed for Checkout because all apache repos are public, So as I
understood it - the 'persits' case is only in the case if you actually pass
a token
or SSH key (which you can do for external repos).
This is what you do usually:
- name: Checkout
uses: actions/checkout@v2
IMHO this is what you'd have to do to pass the token:
- name: Checkout
uses: actions/checkout@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
The behaviour you describe would strictly contradict the statement of
GitHub that for action to use a token it must get the token explicitly
passed to it
either via ${ github.token } or GITHUB_TOKEN.
Via:
https://docs.github.com/en/free-pro-team@latest/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow
Using the GITHUB_TOKEN in a workflow
To use the GITHUB_TOKEN secret, you *must* reference it in your workflow
file. Using a token might include passing the token as an input to an
action that requires it, or making authenticated GitHub API calls.
J.
> From the readme:
> """The auth token is persisted in the local git config. This enables your
> scripts to run authenticated git commands. The token is removed during
> post-job cleanup. Set persist-credentials: false to opt-out."""
>
>
> If the concern is pushing code to Apache repos the story for Actions and
> other packages is basically the same if you are not fully pinning. I don't
> think that's a bad thing, people probably just don't think in this context
> for Actions.
>
> --Brennan
>
--
+48 660 796 129
