I’m not happy with the security on GitHub actions.
The current options I have for my orgs is to either allow all actions, allow actions hosted in the org, or whitelist specific actions by name.
It’s not clear to see actions and any testing or certification they may have. Even github built actions might be under an individual’s account. So it takes quite a bit of effort to check out an action to see if it’s safe or dangerous.
And I worry about actions a little more because they do things like copy files, deploy systems, and other things where I wouldn’t want rogue code interjecting malware.
Currently I require all actions to be hosted in the org so devs have forked actions into our org. That at least makes a developer vouch for a particular version and makes it harder for an update to that action to break something.
I think they need an equivalent of “gold actions” endorsed by GitHub. Or a vetted repo like pypi or cran or something else that actually has some controls around versions and changes.
I have the similar concerns as you. I still use actions, but I am very careful about reading through the code of any actions I use.
Your idea to use forked versions of actions is interesting.
Another security concern I have with GitHub is that when you give permission for a 3rd party app on your repo, you have to give access across all repos in your account.
I’m really surprised it’s not possible to give access to a specific repo. It’s bizarre to me that it’s setup like this.
GitHub’s security scopes are the closest that I’ve come to dropping them.
When I create a token, I have to grant access to all repos or none. That’s crazy since I admin some stuff any token I have for work means it’s a risk to everything.
Also, there’s no read-only scope for some admin functions. So to read private repo metadata for simple auditing purposes I have to grant access to edit them as well. That’s crazy.
Same for repo access. The fact that I can’t create a read only token for a repo is annoying.
I think this is a legacy from them not having a nuanced security model and it’s annoying.
The only around this now is to create different user accounts and that’s annoying.
Given that actions can reference other actions, is this even feasible? You'd have to go and fork all deps, and then if you ever want to pull upstream, repatch.
I don’t think that’s the case. As far as I have read, a multi-step action that you create cannot use a community action.
I was wanting to do this so as to be able to break up some lengthy workflows into reusable pieces, so I figured I’d create some actions, but when I tried to use for example the standard checkout action, inside my action, it failed. I emailed support and they said that actions inside actions was not supported.
Perhaps you are referring to something else? A different type of action?
The current options I have for my orgs is to either allow all actions, allow actions hosted in the org, or whitelist specific actions by name.
It’s not clear to see actions and any testing or certification they may have. Even github built actions might be under an individual’s account. So it takes quite a bit of effort to check out an action to see if it’s safe or dangerous.
And I worry about actions a little more because they do things like copy files, deploy systems, and other things where I wouldn’t want rogue code interjecting malware.
Currently I require all actions to be hosted in the org so devs have forked actions into our org. That at least makes a developer vouch for a particular version and makes it harder for an update to that action to break something.
I think they need an equivalent of “gold actions” endorsed by GitHub. Or a vetted repo like pypi or cran or something else that actually has some controls around versions and changes.