Skip to content

Commit

Permalink
fix: potential CI injections (#15720)
Browse files Browse the repository at this point in the history
* fix: persist-credentials false for actions/checkout

* fix: possible template injection in CI
  • Loading branch information
erikburt authored Dec 24, 2024
1 parent c1e92af commit 59cdff7
Show file tree
Hide file tree
Showing 37 changed files with 279 additions and 71 deletions.
2 changes: 2 additions & 0 deletions .github/actions/golangci-lint/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,14 @@ runs:
# Only do a full checkout on merge_groups
if: github.event_name == 'merge_group'
with:
persist-credentials: false
fetch-depth: 0

- name: Checkout repo
uses: actions/[email protected]
if: github.event_name != 'merge_group'
with:
persist-credentials: false
fetch-depth: 1

- name: Setup Go
Expand Down
2 changes: 2 additions & 0 deletions .github/actions/goreleaser-build-sign-publish/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
Expand Down
35 changes: 23 additions & 12 deletions .github/workflows/automation-ondemand-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,45 +52,56 @@ jobs:
outputs:
test_list: ${{ steps.set-tests.outputs.test_list }}
require_chainlink_image_versions_in_qa_ecr: ${{ steps.determine-chainlink-image-check.outputs.require_chainlink_image_versions_in_qa_ecr }}
env:
GH_INPUTS_CHAINLINK_IMAGE: ${{ inputs.chainlinkImage }}
GH_INPUTS_CHAINLINK_IMAGE_UPDATE: ${{ inputs.chainlinkImageUpdate }}
GH_INPUTS_CHAINLINK_VERSION: ${{ inputs.chainlinkVersion }}
GH_INPUTS_CHAINLINK_VERSION_UPDATE: ${{ inputs.chainlinkVersionUpdate }}
steps:
- name: Determine build to use
id: determine-build
shell: bash
run: |
if [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then
if [[ "$GH_INPUTS_CHAINLINK_IMAGE" == "QA_ECR" ]]; then
echo "image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV
else
echo "image=${{ inputs.chainlinkImage }}" >> $GITHUB_ENV
echo "image=$GH_INPUTS_CHAINLINK_IMAGE" >> $GITHUB_ENV
fi
if [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then
if [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then
echo "upgrade_image='{{ env.QA_CHAINLINK_IMAGE }}'" >> $GITHUB_ENV
else
echo "upgrade_image=${{ inputs.chainlinkImageUpdate }}" >> $GITHUB_ENV
echo "upgrade_image=$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" >> $GITHUB_ENV
fi
if [[ -z "${{ inputs.chainlinkVersion }}" ]] && [[ "${{ inputs.chainlinkImage }}" == "QA_ECR" ]]; then
if [[ -z "$GH_INPUTS_CHAINLINK_VERSION" ]] && [[ "$CHAINLINK_IMAGE" == "QA_ECR" ]]; then
echo "version=${{ github.sha }}" >> $GITHUB_ENV
else
echo "version=${{ inputs.chainlinkVersion }}" >> $GITHUB_ENV
echo "version=$GH_INPUTS_CHAINLINK_VERSION" >> $GITHUB_ENV
fi
if [[ -z "${{ inputs.chainlinkVersionUpdate }}" ]] && [[ "${{ inputs.chainlinkImageUpdate }}" == "QA_ECR" ]]; then
if [[ -z "$GH_INPUTS_CHAINLINK_VERSION_UPDATE" ]] && [[ "$GH_INPUTS_CHAINLINK_IMAGE_UPDATE" == "QA_ECR" ]]; then
echo "upgrade_version=${{ github.sha }}" >> $GITHUB_ENV
else
echo "upgrade_version=${{ inputs.chainlinkVersionUpdate }}" >> $GITHUB_ENV
echo "upgrade_version=$GH_INPUTS_CHAINLINK_VERSION_UPDATE" >> $GITHUB_ENV
fi
- name: Check if chainlink image check required
id: determine-chainlink-image-check
shell: bash
env:
CHAINLKINK_IMAGE: ${{ github.event.inputs.chainlinkImage }}
CHAINLINK_IMAGE_UPDATE: ${{ github.event.inputs.chainlinkImageUpdate }}
run: |
chainlink_image_versions=""
if [ "${{ github.event.inputs.chainlinkImage }}" = "QA_ECR" ]; then
if [ "$CHAINLKINK_IMAGE" = "QA_ECR" ]; then
chainlink_image_versions+="${{ env.version }},"
fi
if [ "${{ github.event.inputs.chainlinkImageUpdate }}" = "QA_ECR" ]; then
if [ "$CHAINLINK_IMAGE_UPDATE" = "QA_ECR" ]; then
chainlink_image_versions+="${{ env.upgrade_version }}"
fi
echo "require_chainlink_image_versions_in_qa_ecr=$chainlink_image_versions" >> $GITHUB_OUTPUT
- name: Set tests to run
id: set-tests
env:
GH_EVENT_INPUTS_ENABLE_REORG: ${{ github.event.inputs.enableReorg }}
GH_EVENT_INPUTS_ENABLE_CHAOS: ${{ github.event.inputs.enableChaos }}
run: |
# Always run upgrade tests
Expand Down Expand Up @@ -118,7 +129,7 @@ jobs:
EOF
# Run reorg tests if enabled
if [[ "${{ github.event.inputs.enableReorg }}" == 'true' ]]; then
if [[ "$GH_EVENT_INPUTS_ENABLE_REORG" == 'true' ]]; then
cat >> test_list.yaml <<EOF
- id: reorg/automation_reorg_test.go^TestAutomationReorg/registry_2_0
test_env_vars:
Expand All @@ -143,7 +154,7 @@ jobs:
fi
# Run chaos tests if enabled
if [[ "${{ github.event.inputs.enableChaos }}" == 'true' ]]; then
if [[ "$GH_EVENT_INPUTS_ENABLE_CHAOS" == 'true' ]]; then
cat >> test_list.yaml <<EOF
- id: chaos/automation_chaos_test.go
test_env_vars:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/bash-scripts.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: bash-scripts
with:
Expand All @@ -26,6 +28,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
- name: Run ShellCheck
if: needs.changes.outputs.bash-scripts-src == 'true'
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
Expand Down
20 changes: 14 additions & 6 deletions .github/workflows/build-publish-develop-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,27 +38,33 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
ref: ${{ env.CHECKOUT_REF }}

- name: Get image tag
id: get-image-tag
env:
GH_EVENT_NAME: ${{ github.event_name }}
GH_EVENT_NUMBER: ${{ github.event.number }}
GH_INPUTS_BUILD_PUBLISH: ${{ inputs.build-publish }}
LABEL_HAS_BUILD_PUBLISH: ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }}
run: |
short_sha=$(git rev-parse --short HEAD)
echo "release-type=snapshot" | tee -a $GITHUB_OUTPUT
if [[ ${{ github.event_name }} == 'push' ]]; then
if [[ $GH_EVENT_NAME == 'push' ]]; then
echo "image-tag=develop" | tee -a $GITHUB_OUTPUT
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
elif [[ ${{ github.event_name }} == 'workflow_dispatch' ]]; then
elif [[ $GH_EVENT_NAME == 'workflow_dispatch' ]]; then
echo "image-tag=${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ "${{ inputs.build-publish }}" == 'false' ]]; then
if [[ "$GH_INPUTS_BUILD_PUBLISH" == 'false' ]]; then
echo "release-type=snapshot" | tee -a $GITHUB_OUTPUT
else
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
fi
else
if [[ ${{ github.event_name }} == "pull_request" ]]; then
echo "image-tag=pr-${{ github.event.number }}-${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ ${{ contains(github.event.pull_request.labels.*.name, 'build-publish') }} == "true" ]]; then
if [[ $GH_EVENT_NAME == "pull_request" ]]; then
echo "image-tag=pr-${GH_EVENT_NUMBER}-${short_sha}" | tee -a $GITHUB_OUTPUT
if [[ $LABEL_HAS_BUILD_PUBLISH == "true" ]]; then
echo "release-type=nightly" | tee -a $GITHUB_OUTPUT
fi
fi
Expand Down Expand Up @@ -86,6 +92,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
ref: ${{ env.CHECKOUT_REF }}
fetch-depth: 0

Expand Down Expand Up @@ -124,6 +131,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
ref: ${{ env.CHECKOUT_REF }}

- name: Configure aws credentials
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/build-publish-goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Check for VERSION file bump on tags
# Avoids checking VERSION file bump on forks.
if: ${{ github.repository == 'smartcontractkit/chainlink' }}
Expand All @@ -38,6 +40,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- name: Configure aws credentials
Expand Down Expand Up @@ -96,6 +99,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- name: Configure aws credentials
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/build-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Check git tag type
id: check-git-tag-type
shell: bash
Expand Down Expand Up @@ -67,6 +69,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false

- name: Build, sign and publish chainlink image
id: build-sign-publish
Expand Down Expand Up @@ -99,6 +103,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
- name: Notify Slack
uses: smartcontractkit/.github/actions/slack-notify-git-ref@31e00facdd8f57a2bc7868b5e4c8591bf2aa3727 # [email protected]
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/chain-selectors-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout Repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/changeset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
Expand Down Expand Up @@ -95,6 +96,7 @@ jobs:
- name: Checkout .Github repository
uses: actions/[email protected]
with:
persist-credentials: false
repository: smartcontractkit/.github
ref: 9aed33e5298471f20a3d630d711b96ae5538728c # [email protected]
path: ./dot_github
Expand Down Expand Up @@ -170,6 +172,7 @@ jobs:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0

- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/changesets-preview-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/[email protected]
with:
persist-credentials: false

- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: change
Expand Down
8 changes: 8 additions & 0 deletions .github/workflows/ci-core-partial.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
repository: smartcontractkit/chainlink
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: match-some
Expand Down Expand Up @@ -59,6 +60,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup NodeJS
uses: ./.github/actions/setup-nodejs
Expand Down Expand Up @@ -134,6 +137,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
# fetches all history for all tags and branches to provide more metadata for sonar reports
fetch-depth: 0

Expand Down Expand Up @@ -191,6 +195,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down Expand Up @@ -235,6 +241,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
17 changes: 15 additions & 2 deletions .github/workflows/ci-core.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
repository: smartcontractkit/chainlink
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: match-some
Expand Down Expand Up @@ -129,6 +130,8 @@ jobs:
steps:
- name: Checkout
uses: actions/[email protected]
with:
persist-credentials: false
- name: Golang Lint (${{ matrix.modules }})
uses: ./.github/actions/golangci-lint
with:
Expand Down Expand Up @@ -192,6 +195,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Change Modtime of Files (cache optimization)
shell: bash
Expand All @@ -214,8 +219,10 @@ jobs:

- name: Replace chainlink-evm deps
if: ${{ needs.filter.outputs.should-run-ci-core == 'true' && inputs.evm-ref != ''}}
env:
GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }}
shell: bash
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@${{ inputs.evm-ref }}
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@$GH_INPUTS_EVM_REF

- name: Setup Solana
if: ${{ needs.filter.outputs.should-run-ci-core == 'true' }}
Expand Down Expand Up @@ -368,6 +375,8 @@ jobs:
steps:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false

- name: Setup node
uses: actions/[email protected]
Expand All @@ -391,8 +400,10 @@ jobs:

- name: Replace chainlink-evm deps
if: ${{ github.event_name == 'workflow_dispatch' && inputs.evm-ref != ''}}
env:
GH_INPUTS_EVM_REF: ${{ inputs.evm-ref }}
shell: bash
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@${{ inputs.evm-ref }}
run: go get github.com/smartcontractkit/chainlink-integrations/evm/relayer@$GH_INPUTS_EVM_REF

- name: Build binary
run: go build -o chainlink.test .
Expand Down Expand Up @@ -452,6 +463,7 @@ jobs:
- name: Checkout the repo
uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0 # fetches all history for all tags and branches to provide more metadata for sonar reports

- name: Download all workflow artifacts
Expand Down Expand Up @@ -601,6 +613,7 @@ jobs:
exit 0
- uses: actions/[email protected]
with:
persist-credentials: false
fetch-depth: 0
- name: Setup Go
uses: ./.github/actions/setup-go
Expand Down
Loading

0 comments on commit 59cdff7

Please sign in to comment.