github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-23 22:17:19 +00:00
Code Issues Projects Releases Wiki Activity

gha: Don't automatically trigger CI

Browse Source 
We have GH configured so that manual approval is required for CI runs
triggered by outside contributors. However, because CI is triggered by
the `pull_request_target` event, this setting isn't being honored
(see [1]). This means that an attacker could trivially extracts secrets
by submitting a PR.

This change aims to mititgate this issue by preventing PRs from
triggering CI unless the `ok-to-test` label is set.

Note: For further context, we use the `pull_request_target` event and
manually check out the PR branch because it is the only way to both
access secrets and test incoming code changes.

Fixes: #7163

 [1]: https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
This commit is contained in:
Aurélien Bombo 2023-06-19 11:47:29 -07:00
parent 90408d66c0
commit e0d6475b49
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.github/workflows/ci-on-push.yaml vendored
View File

@ -3,14 +3,25 @@ on:
pull_request_target:
branches:
- 'main'
types:
# Adding 'labeled' to the list of activity types that trigger this event
# (default: opened, synchronize, reopened) so that we can run this
# workflow when the 'ok-to-test' label is added.
# Reference: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
- opened
- synchronize
- reopened
- labeled
jobs:
build-kata-static-tarball-amd64:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
with:
tarball-suffix: -${{ github.event.pull_request.number}}-${{ github.event.pull_request.head.sha }}
publish-kata-deploy-payload-amd64:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/publish-kata-deploy-payload-amd64.yaml
with:
@ -21,6 +32,7 @@ jobs:
secrets: inherit
run-k8s-tests-on-aks:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
with:
@ -30,6 +42,7 @@ jobs:
secrets: inherit
run-k8s-tests-on-sev:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-sev.yaml
with:
@ -38,6 +51,7 @@ jobs:
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
run-k8s-tests-on-snp:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-snp.yaml
with:
@ -46,6 +60,7 @@ jobs:
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
run-k8s-tests-on-tdx:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-tdx.yaml
with:
@ -54,6 +69,7 @@ jobs:
tag: ${{ github.event.pull_request.number }}-${{ github.event.pull_request.head.sha }}-amd64
run-metrics-tests:
if: ${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}
needs: build-kata-static-tarball-amd64
uses: ./.github/workflows/run-metrics.yaml
with: