Commit Graph

3 Commits

Author SHA1 Message Date
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
Hyounggyu Choi
dd23beeb05 CI: Eliminating dependency on clone_tests_repo()
As part of archiving the tests repo, we are eliminating the dependency on
`clone_tests_repo()`. The scripts using the function is as follows:

- `ci/install_rust.sh`.
- `ci/setup.sh`
- `ci/lib.sh`

This commit removes or replaces the files, and makes an adjustment accordingly.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-06-28 14:52:02 +02:00
Derek Lee
bed4aab7ee github-actions: Add cargo-deny
Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.

GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files. To avoid hardcoding it, I worked around the problem
using a composite action that first generates the cargo-deny action by
finding all Cargo.toml files before calling this new generated action in
the master workflow.

Uses recommended deny.toml from cargo-deny repo with the following
modifications:

 ignore = ["RUSTSEC-2020-0071"]
  because chrono is dependent on the version of time with the
  vulnerability and there is no simple workaround

 multiple-versions = "allow"
  Because of the above error and other packages, there are instances
  where some crates require different versions of a crate.

 unknown-git = "allow"
  I don't see a particular issue with allowing crates from other repos.
  An alternative would be the manually set each repo we want in an
  allow-git list, but I see this as more of a nuisance that its worth.
  We could leave this as a warning (default), but to avoid clutter I'm
  going to allow it.

If deny.toml needs to be edited in the future, here's the guide:
https://embarkstudios.github.io/cargo-deny/index.html

Fixes #3359

Signed-off-by: Derek Lee <derlee@redhat.com>
2022-08-30 09:30:03 -07:00