I think this is a huge security problem a I've opened a High Priority security ticket to Github https://support.github.com/ticket/personal/0/964498 (it's personal so you won't see it). I am also immediately setting the "persist-credentials: false" to all our checkout actions. This is really, bad issue if that's the case.
Greg if you are listening - I think it needs another action/escalation on Apache-level I believe. We are also pushing stuff to our repo but precisely for the reason I (believed) it worked we use a dedicated "push" action and we pass the secret as parameter. It never even crossed my mind that write token might be persisted in this case https://github.com/apache/airflow/blob/a4a3d3f262257efbad7a36d6c72e0abd921b3a6f/.github/workflows/ci.yml#L1045 On Wed, Dec 30, 2020 at 10:32 AM Brennan Ashton <bash...@brennanashton.com> wrote: > On Wed, Dec 30, 2020, 1:25 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > > > > > > > > This is only sorry of correct. If you are using the standard checkout > > > action and install a package from pypi/npm at a later step that package > > > absolutely can push to the Apache repo when it runs in a push context > (pr > > > context it is read-only). This later step does not need the token > passed > > to > > > it. > > > > > > > Are you sure of that? Can you please double check it? If it is then > > I think we need to immediately raise a critical security issue to GitHub. > > > > My understanding was, that by default the github checkout action is > > not authenticated at all (when you do not pass the token). Authentication > > is not needed for Checkout because all apache repos are public, So as I > > understood it - the 'persits' case is only in the case if you actually > pass > > a token > > or SSH key (which you can do for external repos). > > > > I am quite sure. We use this feature to be able to publish our site. Note > that the auth only has the context to do this on a push. So the PR build > only verifies the build. Once it is merged a push job is triggered which > can commit to the asf-site branch. We use pipenv to pin our build > dependencies in this case. > > > https://github.com/apache/incubator-nuttx-website/blob/master/.github/workflows/main.yml > > --Brennan > > > > -- +48 660 796 129
