Automatic updates to the list of allowed actions #919
Comments
|
@TorstenD-SAP and myself meet to discuss this issue and we have following:
|
|
another comment on my side: any validations should be done on PR. if that is failing merge should be blocked. main should be always in clean state and automation is only propagating this configuration |
|
@TorstenD-SAP @strekm @barchw
|
|
My general question is do we really need it for all of the workflows? I understand restrictions for Build workflows, but I don't get why we need to have restrictions for workflows that are just running for example tests or some other check related to development only. For example The second question is how we are maintaining this |
|
Responding to @Sawthis questions:
I would say this is not really possible to achieve without breaking already running workflows, especially when module teams are supporting different release branches.
That's what's expected if this issue is implemented. Right now, from what I understood this process in manual. What we would want, is an easy way to update this file, and have it updated in our module repo immediately. What @mrCherry97 mentions, that right now all changes to this file have to be approved by @TorstenD-SAP, and having one person need to approve all version upgrades is the real problem why we are even coming with this issue, so this is the thing we would like to resolve. |
|
So currently we have 2 issues with this process:
Even if we automate the update of the Github action versions, it will require approval by @TorstenD-SAP, and it's not scalable. We can implement auto-approve and auto-merge features for it, but then it will be the same as allowing all versions of the given Github actions. First of all, I would vote to have more people who can approve of the allowed Github action versions update. Maybe @kyma-project/kyma-steering-committee ? As a second step, I would allow the use of all versions of the given Github action as it is done in the internal Github. Then, we can automate updates from the list of the allowed actions to the organization settings. Or just generate a list in the Github action to make it easier for the reviewer to update the organization settings. |
I do not know who decided to allow every version of an approved action in the internal Github, but I want to object to do it in that way. It is a clear guidance from Github itself to pin actions to a full length commit SHA (https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions). As you read further down on the page I shared before, Github recommends to audit the code of an action and this is also required in our guidelines (https://github.com/kyma-project/community/blob/main/docs/contributing/05-gh-actions.md#perform-security-review).
There is already a cli tool to update the list of allowed actions. What is missed is to turn this into a Github action to automate the update of the list of allowed actions. If this is done, we can simply add more people to approve the changes on the allowed actions. |
Even this would be great from a security pov it is not the case atm. Supporting only the latest version immediately will for sure break a lot of workflows.
Yes, this is the idea of that file. |
|
As it was announced by @TorstenD-SAP .
|
Description
Third party actions and their versions that are allowed to be used in Kyma organisation repositories are stored in
docs/contributing/assets/allowed_actions.json. This list is often outdated, making the process of being up-to-date with the actions releases problematic.This issue proposes a solution of having an automation that would create a PR to this list, that could later be approved by Kyma Security team (dependabot alike)
Reasons
Being up-to-date with actions.
References
The text was updated successfully, but these errors were encountered: