Greg>Using an action defined by a third party, which might modify Apache
Greg>repositories in unknown ways ... not something we want.
Gregg,
Do you have pointers that clarify how actions can modify Apache
repositories?
I strongly believe that Actions are read-only by default.
AFAIK the only way G
Hello Vladimir, all,
Happy to share our experiences and thoughts. Better late than never - but
we discussed that in the apache-airflow private group before and we've
implemented a number of protections in place so happy
to share our learnings and practices.
> Gregg,
> Do you have pointers that cl
Jarek>Github Action can use the GITHUB_TOKEN to perform write operations to
anything in the repo
Once again: GITHUB_TOKEN has to be explicitly used in the YAML file.
If GITHUB_TOKEN is not mentioned in the YAML, then write access is NOT
possible.
Jarek>This is exactly what Greg is writing about
Hi infra team,
The maven-jlink-plugin needs a second JDK as a toolchain JDK. While all
jenkins builds do have this by default, we worked around it in github
actions by using a 3rd-party jabba action [1].
Due to the new security policy, this build is now broken:
"battila7/jdk-via-jabba@v1 is not
Not speaking for INFRA (I am but a humble user of INFRA services) but my
comments below.
On Tue, Dec 29, 2020 at 2:12 PM Vladimir Sitnikov <
sitnikov.vladi...@gmail.com> wrote:
> Jarek>Github Action can use the GITHUB_TOKEN to perform write operations to
> anything in the repo
>
> Once again: GIT
On Tue, Dec 29, 2020 at 2:30 PM Jarek Potiuk
wrote:
>...
> On Tue, Dec 29, 2020 at 2:12 PM Vladimir Sitnikov <
> sitnikov.vladi...@gmail.com> wrote:
>
>...
> Jarek>This is exactly what Greg is writing about
> >
> > Greg's message was very vague, so I asked for clarification.
>
> I hope my explan
On Tue, Dec 29, 2020 at 5:33 PM Greg Stein wrote:
>
> One of things that we will likely do is perform a scan of any
> Action/workflow .yml at commit time, to ensure that any "uses:" is defined
> with a hash rather than a tag. That should prevent the kind of attack Jarek
> described where Action FO
On Tue, Dec 29, 2020 at 8:08 PM Brennan Ashton
wrote:
> On Tue, Dec 29, 2020 at 5:33 PM Greg Stein wrote:
> > One of things that we will likely do is perform a scan of any
> > Action/workflow .yml at commit time, to ensure that any "uses:" is
> defined
> > with a hash rather than a tag. That sho
Just picking out one point below.
On Wed, Dec 30, 2020 at 12:47 PM Greg Stein wrote:
> On Tue, Dec 29, 2020 at 8:08 PM Brennan Ashton
> wrote:
> [...]
> TBH I don't see how the threat surface here is that much different
> > than pulling down
> > packages from pypi to npm at build time.
> >
> An
