ci: fix semver-checks master#3028
ci: fix semver-checks master#3028apoelstra merged 1 commit intorust-bitcoin:masterfrom storopoli:ci/fix-semver-checks
Conversation
.github/workflows/semver-checks.yml
Outdated
There was a problem hiding this comment.
@Kixunil I cannot read the PR number in the semver-checks-pr-label.yml from the previous semver-checks-pr.yml workflow.
I've tried a couple of things, most notoriously this:
# in semver-checks-pr-label.yml
env:
# hack to get PR number from the workflow_run object
PR_NUMBER: ${{ github.event.workflow_run.conclusion.pull_requests[0].number }}There was a problem hiding this comment.
That sucks. But if someone griefs us we'll have an argument for GH to fix that.
Pull Request Test Coverage Report for Build 9939267405Details
💛 - Coveralls |
Kixunil
left a comment
There was a problem hiding this comment.
The remaining vulnerability needs to be fixed.
.github/workflows/semver-checks.yml
Outdated
There was a problem hiding this comment.
That sucks. But if someone griefs us we'll have an argument for GH to fix that.
obi1kenobi
left a comment
There was a problem hiding this comment.
I'm generally very risk-averse when it comes to security things, so my personal preference is to obsessively quote everything and eliminate anything that might be a vector for code injection, even if it is currently not exploitable due to an existing check. I basically don't trust that a future refactoring won't accidentally remove or reduce the check just enough that an attacker could slip through.
I've left some suggestions in that spirit, but it's entirely possible your preferences are not the same. So consider my comments purely advisory and feel free to ignore them if you don't think they are right for your style and development process.
Kixunil
left a comment
There was a problem hiding this comment.
ACK 6ab8f99
My comments can be addressed in a follow up PR since I believe this is sufficiently secure even without it and we desperately need to fix master. Note that I'm going AFK soon, so pushing will remove my ACK for around 8 hours.
| fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/semver-break.zip`, Buffer.from(download.data)); | ||
| - name: "Unzip artifact" | ||
| if: ${{ hashFiles('semver-break.zip') != '' }} | ||
| run: unzip semver-break.zip |
There was a problem hiding this comment.
FTR, I did check whether unzip is vulnerable to path traversal attacks. It looks like it's not. But maybe we should use the -n switch just to be sure. (Why the f didn't GH provide a first class API for this?!)
There was a problem hiding this comment.
You mean the -n that I get when I run unzip -h in my linux machine:
-n never overwrite existing files
?
| PR_NUMBER: ${{ github.event.number }} | ||
| run: | | ||
| # check if PR_NUMBER is a number | ||
| if ! [[ "$PR_NUMBER" =~ ^-?[0-9]+$ ]]; then |
There was a problem hiding this comment.
This isn't really needed since the attacker won't attack himself.
There was a problem hiding this comment.
But I prefer to have it in there. It is not doing anything now since the ENV var is set by Github.
Do you really see that it could be a problem in the near future?
There was a problem hiding this comment.
It's just a bloat. Not a big deal but I'd remove it if it was entirely my choice.
tcharding
left a comment
There was a problem hiding this comment.
FWIW ACK merging this. I can't put a proper ACK because I don't even know what scripting language is being used so my review is too shallow to warrant any worth.
Ignorance is a bliss. I wish I didn't know either. |
|
Lol, glad I didn't look it up :) |
I think I am more a JS hater (it belongs only in the browser to make things do things) than Rust maximalist. I've updated the PR description with an overview and some implementation notes. |
obi1kenobi
left a comment
There was a problem hiding this comment.
This looks good to me 👍
Just a note that the unzip -n conversation got resolved but the -n argument doesn't look like it made it into the PR. Entirely possible this is intentional and I've just been out of the loop, so I'm just flagging it for your consideration.
WASM belongs there ;) Thanks @obi1kenobi we had a rule to resolve conversations before but removed it. It was intentionally left out of the PR to not trigger re-review but should not have been marked as resolved. |
|
Yeah my bad, I got trigger-happy with the resolve to unclutter things for the reviewers since we are planning to merge this without the |
Ok now I think I've nailed this! 🚀
Closes #3018.
Summary
This PR fix the permissions by adding a secondary job,
semver-checks-pr-label, that runs only if thesemver-checkscompletes and does not fail, i.e. we have either Semver API breaks.This is a secure job according to internal discussions and https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run
Implementation notes
We split the semver checks into the actual check and labeling. This is due to the fact that we were having several permission issues and the original implementation was insecure. Also it is currently failing on several PRs.
semver-checks.yml: checks for API semver breaks. Upon finding API semver-checks, it creates a file namedsemver-breakthat has the PR number inside. If this file is present we upload an artifact representing that the API semver was broken with the PR number.semver-checks-pr-label.yml: runs after thesemver-checks.ymlis completed. It usesactions/github-script(in JavaScript) to list the previous workflow artifacts and, if finds that an API semver break is present, adds a corresponding label and a comment to the PR that is inside the filesemver-break. We sanitize the hell out of the thing to be a number only, both in BASH but also in JavaScript.How I tested this?
I merged this PR to my
masterbranch in mystoropoli/rust-bitcoinrepo.I've set the following settings in the repo settings to mimic what we have for
rust-bitcoin:I've made a PR (cherry-picked from Toby) that breaks semver, see https://github.com/storopoli/rust-bitcoin/pull/10. It correctly labelled as
API breakand added a comment to the PR