Hardcode REMOTE_HTTP secret in PR workflows #262
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The REMOTE_HTTP secret was introduced to make the remote server configurable without changing the workflow code in #218. For security reasons, PR workflows do not have access to secret variables (this is an oversight of the aforementioned PR). We could switch the PR workflow to trigger on the `pull_request_target` event which allows access to secrets, but that would enable external attackers to exfiltrate our secrets (see <https://securitylab.github.com/research/github-actions-preventing-pwn-requests>). The correct solution would be for GitHub to provide a mechanism for marking secrets as non-sensitive (which is the case of REMOTE_HTTP). For now, let’s just hardcode that secret in PR workflows.
matteodelabre
added
bug
raisjn
approved these changes
Jan 25, 2021
raisjn
pushed a commit
to rmkit-dev/toltec
that referenced
this pull request
Mar 23, 2021
new packages:
[ddvk-hacks] Add ddvk-hacks (toltec-dev#247)
updated packages:
[wireguard][1.0.20210219] - Updated package (and include wireguard-tools) (toltec-dev#285)
[rm2fb] update rm2fb to work with xochitl 2.6 (v1.0.1) (toltec-dev#301)
[recrossable] Update recrossable (toltec-dev#312)
[wikipedia] Initial wikipedia package.
[appmarkable] Update appmarkable to 0.0.0-9 and rmservewacominput to 0.3.0-1 (toltec-dev#308) with rm2 support
[rmkit] patch genie to fix crash in testing (toltec-dev#304)
[oxide] Update Oxide to v2.1.2 (toltec-dev#241)
[rm2fb] update rm2fb with wait ioctl and no-op on rM1 (toltec-dev#298)
[rmkit] add bufshot app, add lamp, add iago, add changelog (toltec-dev#276)
[rmkit] update rmkit to latest (2021-02-17) (toltec-dev#286)
[zshelf][0.3.1] - Updated Package (toltec-dev#287)
tooling:
Pin the Ubuntu version used in workflows to 20.04 (toltec-dev#316)
Provide better version number error messages (toltec-dev#314)
util.auto_extract: Extract broken symlinks and missing directories (toltec-dev#302)
change web background color to #fcfaf8 (toltec-dev#280)
Implement build-time package dependencies (toltec-dev#274)
Rewrite repo-build-web in Python (toltec-dev#266)
Print last 50 lines of output on build error (toltec-dev#263)
Hardcode REMOTE_HTTP secret in PR workflows (toltec-dev#262)
Rewrite repo-build and package-build in Python (toltec-dev#218)
Make bootstrap execution conditional on hash verification (toltec-dev#257)
Add Toltec web home page (toltec-dev#193)
matteodelabre
added a commit
that referenced
this pull request
Mar 31, 2021
New packages: * bufshot - 0.1.0-2 (#276) * ddvk-hacks - 17.04-1 (#247) * iago - 0.1.0-1 (#276) * lamp - 0.1.0-1 (#276) * libdlib, libdlib-dev - 19.21-1 (#274) * libvncserver, libvncserver-dev - 0.9.13-1 (#274) * wikipedia - 0.1.0-2 (#311) Updated packages: * appmarkable - 0.0.0-9 (#308) * decay - 2.1.2~1 (#241) * erode - 2.1.2~1 (#241) * fret - 2.1.2~1 (#241) * genie - 0.1.4-2 (#304) * harmony - 0.1.2-1 (#286) * mines - 0.1.2-1 (#286) * nao - 0.1.2-1 (#286) * oxide - 2.1.2~1 (#241) * recrossable - 0.0.0-5 (#274, #312) * remux - 0.1.8-1 (#286) * rm2fb - 1.0.1-1 (#298, #301) * rmservewacominput - 0.3.0-1 (#308) * rot - 2.1.2~1 (#241) * simple - 0.1.3-1 (#286) * tarnish - 2.1.2~1 (#241) * vnsee - 0.3.1-2 (#274) Tooling: * Pin the Ubuntu version used in workflows to 20.04 (#316) * Provide better version number error messages (#314) * util.auto_extract: Extract broken symlinks and missing directories (#302) * change web background color to #fcfaf8 (#280) * Implement build-time package dependencies (#274) * Rewrite repo-build-web in Python (#266) * Print last 50 lines of output on build error (#263) * Hardcode REMOTE_HTTP secret in PR workflows (#262) * Rewrite repo-build and package-build in Python (#218) * Make bootstrap execution conditional on hash verification (#257) * Add Toltec web home page (#193) Co-authored-by: okay <okay@arkose> Co-authored-by: Mattéo Delabre <spam@delab.re>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The REMOTE_HTTP secret was introduced to make the remote server
configurable without changing the workflow code in #218. For security
reasons, PR workflows do not have access to secret variables (this is an
oversight of the aforementioned PR).
We could switch the PR workflow to trigger on the
pull_request_targetevent which allows access to secrets, but that would enable external
attackers to exfiltrate our secrets (see
https://securitylab.github.com/research/github-actions-preventing-pwn-requests).
The correct solution would be for GitHub to provide a mechanism for
marking secrets as non-sensitive (which is the case of REMOTE_HTTP). For
now, let’s just hardcode that secret in PR workflows.