mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-04 20:12:54 +00:00
902d361107
### Summary I'm fixing one or more of the following CI/CD misconfigurations to improve security. Please feel free to leave a comment if you think the current permissions for the GITHUB_TOKEN should not be restricted so I can take a note of it as accepted behaviour. - Restrict permissions for GITHUB_TOKEN - Add step-security/harden-runner - Pin Actions to a full length commit SHA ### Security Fixes will fix https://github.com/neondatabase/cloud/issues/26141
89 lines
2.8 KiB
YAML
89 lines
2.8 KiB
YAML
name: Add `external` label to issues and PRs created by external users
|
|
|
|
on:
|
|
issues:
|
|
types:
|
|
- opened
|
|
pull_request_target:
|
|
types:
|
|
- opened
|
|
workflow_dispatch:
|
|
inputs:
|
|
github-actor:
|
|
description: 'GitHub username. If empty, the username of the current user will be used'
|
|
required: false
|
|
|
|
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
|
|
permissions: {}
|
|
|
|
env:
|
|
LABEL: external
|
|
|
|
jobs:
|
|
check-user:
|
|
runs-on: ubuntu-22.04
|
|
|
|
outputs:
|
|
is-member: ${{ steps.check-user.outputs.is-member }}
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Check whether `${{ github.actor }}` is a member of `${{ github.repository_owner }}`
|
|
id: check-user
|
|
env:
|
|
GH_TOKEN: ${{ secrets.CI_ACCESS_TOKEN }}
|
|
ACTOR: ${{ inputs.github-actor || github.actor }}
|
|
run: |
|
|
expected_error="User does not exist or is not a member of the organization"
|
|
output_file=output.txt
|
|
|
|
for i in $(seq 1 10); do
|
|
if gh api "/orgs/${GITHUB_REPOSITORY_OWNER}/members/${ACTOR}" \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "X-GitHub-Api-Version: 2022-11-28" > ${output_file}; then
|
|
|
|
is_member=true
|
|
break
|
|
elif grep -q "${expected_error}" ${output_file}; then
|
|
is_member=false
|
|
break
|
|
elif [ $i -eq 10 ]; then
|
|
title="Failed to get memmbership status for ${ACTOR}"
|
|
message="The latest GitHub API error message: '$(cat ${output_file})'"
|
|
echo "::error file=.github/workflows/label-for-external-users.yml,title=${title}::${message}"
|
|
|
|
exit 1
|
|
fi
|
|
|
|
sleep 1
|
|
done
|
|
|
|
echo "is-member=${is_member}" | tee -a ${GITHUB_OUTPUT}
|
|
|
|
add-label:
|
|
if: needs.check-user.outputs.is-member == 'false'
|
|
needs: [ check-user ]
|
|
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
pull-requests: write # for `gh pr edit`
|
|
issues: write # for `gh issue edit`
|
|
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Add `${{ env.LABEL }}` label
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
ITEM_NUMBER: ${{ github.event[github.event_name == 'pull_request_target' && 'pull_request' || 'issue'].number }}
|
|
GH_CLI_COMMAND: ${{ github.event_name == 'pull_request_target' && 'pr' || 'issue' }}
|
|
run: |
|
|
gh ${GH_CLI_COMMAND} --repo ${GITHUB_REPOSITORY} edit --add-label=${LABEL} ${ITEM_NUMBER}
|