Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Tighten restrictions for running scdiff workflow #4376

Merged
merged 2 commits into from
Oct 8, 2024
Merged

🌱 Tighten restrictions for running scdiff workflow #4376

merged 2 commits into from
Oct 8, 2024

Conversation

spencerschrock
Copy link
Member

What kind of change does this PR introduce?

workflow change

What is the current behavior?

Any previous contributor can run the scdiff workflow

What is the new behavior (if this is a feature change)?**

Only members of the ossf GitHub org can run the scdiff workflow.

Previously we matched GitHub's "Require approval for first-time
contributors", which represents a minor barrier for attackers
(e.g. submitting a typo fix). Project members should ensure their
visibility in the "ossf" GitHub org is "Public" to be able to run
scdiff.

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

@spencerschrock
remove ability for contributors to trigger scdiff
c1505e1 
Previously we matched GitHub's "Require approval for first-time
contributors", which represents a minor barrier for attackers
(e.g. submitting a typo fix). Project members should ensure their
visibility in the "ossf" GitHub org is "Public" to be able to run
scdiff.

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock
avoid race condition between scdiff comment and fetching PR head sha
a051f5c 
There is a small window after leaving an scdiff comment, where the
workflow queues then sends an API request to determine the PR head SHA.
An attacker could use this time to push new code that wasn't reviewed.

This change attempts to ensure the code that runs is older than the code
the requester saw when leaving the scdiff comment. Both timestamps used
are controlled by GitHub, not a user controlled timestamp.

There may be some false positives, as `repo.pushed_at` corresponds to
all repo activiy, not just the branch used for the PR. This risk is
acceptable as it's better to be safe; we can always re-run the workflow.

Signed-off-by: Spencer Schrock <[email protected]>
@spencerschrock spencerschrock requested a review from a team as a code owner October 8, 2024 20:15
@spencerschrock spencerschrock requested review from naveensrinivasan and removed request for a team October 8, 2024 20:15
@spencerschrock spencerschrock enabled auto-merge (squash) October 8, 2024 20:16
@spencerschrock spencerschrock merged commit 28db9a9 into ossf:main Oct 8, 2024
39 checks passed
@spencerschrock spencerschrock deleted the scdiff branch October 8, 2024 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raghavkaul raghavkaul raghavkaul approved these changes

@naveensrinivasan naveensrinivasan Awaiting requested review from naveensrinivasan naveensrinivasan is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees
No one assigned
Labels
None yet
Projects
Scorecard - NEW
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spencerschrock @raghavkaul