Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not persist credentials on GH Actions #4435

Merged
merged 1 commit into from
Dec 17, 2024
Merged

Do not persist credentials on GH Actions #4435

merged 1 commit into from
Dec 17, 2024

Conversation

gustawlippa
Copy link
Contributor

@gustawlippa gustawlippa commented Dec 13, 2024
edited
Loading

I ran a GH Actions safety checker called Zizmor, which suggested that the "persist-credentials" option should be set to "false", so that git auth tokens cannot be leaked. The full rationale: https://woodruffw.github.io/zizmor/audits/#artipacked. It is not a big issue for us, as we don't upload artifacts from GH Actions, but using this option should add a bit of safety anyway.

Manually run GH Actions to see if the change doesn't break anything: https://github.com/esl/MongooseIM/actions/runs/12299291228

@gustawlippa
Do not persist credentials on GH Actions
7241910 
I ran a GH Actions safety checker, which suggested that the
"persist-credentials" option should be set to "false".
The rationale: https://woodruffw.github.io/zizmor/audits/#artipacked. It is not
a big issue for us, as we don't upload artifacts from GH Actions, but using
this option should add a bit of safety anyway.
@mongoose-im
Copy link
Collaborator

mongoose-im commented Dec 13, 2024
edited
Loading

elasticsearch_and_cassandra_27 / elasticsearch_and_cassandra_mnesia / 7241910
Reports root/ big
OK: 472 / Failed: 0 / User-skipped: 49 / Auto-skipped: 0

small_tests_26 / small_tests / 7241910
Reports root / small

small_tests_27 / small_tests / 7241910
Reports root / small

small_tests_27_arm64 / small_tests / 7241910
Reports root / small

ldap_mnesia_26 / ldap_mnesia / 7241910
Reports root/ big
OK: 2353 / Failed: 0 / User-skipped: 912 / Auto-skipped: 0

dynamic_domains_mysql_redis_27 / mysql_redis / 7241910
Reports root/ big
OK: 4726 / Failed: 0 / User-skipped: 154 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_26 / pgsql_mnesia / 7241910
Reports root/ big
OK: 4761 / Failed: 0 / User-skipped: 119 / Auto-skipped: 0

ldap_mnesia_27 / ldap_mnesia / 7241910
Reports root/ big
OK: 2353 / Failed: 0 / User-skipped: 912 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_27 / odbc_mssql_mnesia / 7241910
Reports root/ big
OK: 4756 / Failed: 0 / User-skipped: 124 / Auto-skipped: 0

pgsql_cets_27 / pgsql_cets / 7241910
Reports root/ big
OK: 4850 / Failed: 0 / User-skipped: 188 / Auto-skipped: 0

internal_mnesia_27 / internal_mnesia / 7241910
Reports root/ big
OK: 2495 / Failed: 0 / User-skipped: 770 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_27 / pgsql_mnesia / 7241910
Reports root/ big
OK: 4761 / Failed: 0 / User-skipped: 119 / Auto-skipped: 0

mysql_redis_27 / mysql_redis / 7241910
Reports root/ big
OK: 5130 / Failed: 0 / User-skipped: 149 / Auto-skipped: 0

pgsql_mnesia_27 / pgsql_mnesia / 7241910
Reports root/ big
OK: 5151 / Failed: 0 / User-skipped: 128 / Auto-skipped: 0

cockroachdb_cets_27 / cockroachdb_cets / 7241910
Reports root/ big
OK: 4850 / Failed: 0 / User-skipped: 188 / Auto-skipped: 0

pgsql_mnesia_26 / pgsql_mnesia / 7241910
Reports root/ big
OK: 5151 / Failed: 0 / User-skipped: 128 / Auto-skipped: 0

mssql_mnesia_27 / odbc_mssql_mnesia / 7241910
Reports root/ big
OK: 5146 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

@codecov Codecov
Copy link

codecov bot commented Dec 13, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 85.36%. Comparing base (91cdfa1) to head (7241910).
Report is 43 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4435      +/-   ##
==========================================
+ Coverage   85.33%   85.36%   +0.03%     
==========================================
  Files         549      549              
  Lines       33863    33863              
==========================================
+ Hits        28896    28907      +11     
+ Misses       4967     4956      -11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@gustawlippa gustawlippa marked this pull request as ready for review December 13, 2024 10:07
NelsonVides
NelsonVides approved these changes Dec 17, 2024
View reviewed changes
Copy link
Collaborator

@NelsonVides NelsonVides left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👌🏽

@NelsonVides NelsonVides merged commit a7c95ad into master Dec 17, 2024
23 checks passed
@NelsonVides NelsonVides deleted the safe-gh-actions branch December 17, 2024 07:01
@jacekwegr jacekwegr added this to the 6.3.1 milestone Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NelsonVides NelsonVides NelsonVides approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.3.1
Development

Successfully merging this pull request may close these issues.
4 participants
@gustawlippa @mongoose-im @NelsonVides @jacekwegr