Add Workflows and Scripts to automatically keep the approved_patterns.yml up to date. by assignUser · Pull Request #90 · apache/infrastructure-actions

assignUser · 2025-01-07T03:54:35Z

As discussed with @dfoulks1 this PR adds the technical frontend to allow easy management of the org wide actions allow list. The backend is a pip service that listens for changes to approved_patterns.yml and updates the actual org setting through the GH API. The missing component is the social part of reviewing add or updated actions in PRs based on policy/heuristic.

I have overwritten the current approved_patterns.yml with an example file, before actually merging this we have to convert the current version into the new format without wildcards and SHAs instead of tags. Thanks @dfoulks1 for the conversion!

actions.yml contains the data about allowed actions and their refs. Refs that are outdated but required for whatever reason get keep: true which prevents them being pruned by the cron job.
New refs or actions can be added to actions.yml via PR everything else will be handled through the workflows.
A workflow and gateway.py turns this into a dummy Github Actions workflow that is checked by Dependabot.
If Dependabot finds a new version it will open a PR against the workflow to update the ref.
Once the PR is merged a workflow will update actions.yml with the new ref and set an expire date on previous refs and create approved_patterns.yml from the data which is in turn used to set the ASF org settings.
A daily cron job removes expired refs and actions with no refs from actions.yml.

This will then enable us to implement the following process:

run Dependabot on the 30th in the infra actions repo
check and merge dependabot PRs
actions.yml and approved_patterns.yml are updated
old versions are set to expire in 4 weeks
Run Dependabot on the 15th in all project repos
2 weeks time for projects to merge dependabot PRs to fix outdated versions
When the 4 weeks are up the daily cron job will remove the old versions from approved_patterns.yml

Remove details from comment

sebbASF

Documentation needed please

gopidesupavan · 2025-01-25T01:03:05Z

@assignUser Nice , instead of on root, could we move the gateway scripts to some folders? just for easy to segregate and we might add more scripts in future/ add further improvements. WDYT?

assignUser · 2025-03-15T11:34:08Z

missing feature: ban list of compromised actions, though afaik that is a feature that zizmor provides?

assignUser · 2025-03-19T22:31:09Z

+1. **Fork** this repository
+2. **Remove** the relevant entry from `actions.yaml`
+3. **Create a PR** against the `main` branch
+4. **Mark it as urgent** in the PR title (e.g., "URGENT: Remove vulnerable action X")
+5. **Include in your PR description**:
+   - The reason for removal
+   - Any CVE or security advisory ID if applicable
+   - Impact on projects currently using the action
+   - Recommended alternatives if available


The process was chatgpts idea but I do think it makes sense to have some process like this for cases like the tj-actions incident, where anyone who comes across a compromised actions can quickly initiate removal of said action.

gopidesupavan · 2025-03-20T13:14:14Z

+          git config --local user.email "$GITHUB_ACTOR@users.noreply.github.com"
+          git add -f actions.yml approved_patterns.yml
+          git commit -m "Update Actions" || echo "No changes"
+          git push origin


If branch protection rules enabled, will this work? it seems pushing directly to main.

Ah, no that would probably block it. I think the best solution for that would be to use a simple github app and add that to the bypass list.

gopidesupavan · 2025-03-20T13:18:49Z

Good stuff , LGTM :)

add gateway

4af480a

Remove details from comment

assignUser force-pushed the add-list-gateway branch from 07d17fa to 4af480a Compare January 7, 2025 03:54

fallback to default token

a841fae