fix: extract 53 unsafe expression(s) to env vars#31890
Open
dagecko wants to merge 1 commit into
Open
Conversation
Automated security fixes applied by Runner Guard (https://github.com/Vigilant-LLC/runner-guard). Changes: .../benchmark-prevent-performance-degradations.yml | 4 +- .github/workflows/ci.yml | 4 +- .github/workflows/code-checker.yml | 16 +++- .github/workflows/plugin-update-check.yml | 4 +- .github/workflows/plugin-update.yml | 4 +- .github/workflows/test-enos-scenario-ui.yml | 12 ++- .github/workflows/test-go.yml | 25 ++++-- .../test-run-enos-scenario-containers.yml | 4 +- .../workflows/test-run-enos-scenario-matrix.yml | 93 +++++++++++++++------- .github/workflows/test-run-enos-scenario.yml | 12 ++- .github/workflows/test-ui.yml | 7 +- 11 files changed, 132 insertions(+), 53 deletions(-)
|
@dagecko is attempting to deploy a commit to the HashiCorp Team on Vercel. A member of the Team first needs to authorize it. |
dosubot
Bot
added
the
github_actions
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR hardens CI/CD workflows against supply chain attacks by extracting 53 secrets and expressions from
run:blocks intoenv:mappings across 11 workflow files.Summary
This PR hardens your CI/CD workflows against supply chain attacks by extracting unsafe expressions from
run:blocks intoenv:mappings.test-run-enos-scenario-matrix.ymltest-go.ymlcode-checker.ymltest-enos-scenario-ui.ymltest-run-enos-scenario.ymltest-ui.ymlbenchmark-prevent-performance-degradations.ymlci.ymlplugin-update.ymltest-run-enos-scenario-containers.ymlplugin-update-check.yml22 additional advisory findings (not auto-fixed, flagged for review):
These are step output interpolations (RGS-019) and other patterns that require manual review.
Why this PR
I've been scanning the top 50,000 GitHub repositories for CI/CD pipeline vulnerabilities over the last 5 weeks as part of an ongoing research effort into the supply chain attack campaign that started with tj-actions in March and has escalated through multiple phases since.
You may notice that I have opened up a lot of PRs - don't take that as a negative. I've been working around the clock on this and monitoring all comms. It may take me an hour or two to get back to a comment you leave.
How to verify
Every change is mechanical and preserves workflow behavior:
${{ }}expressions fromrun:blocks intoenv:mappings, preventing shell injectionWe've had 22 merges so far including next.js, keras, webpack, svelte, apache/superset, and excalidraw. I created a tool called Runner Guard to assist in my research - it does mechanical, non-AI fixes to reduce hallucinations to zero and produce consistent fixes. If you would like to scan it yourself to validate my work, feel free.
Happy to answer any questions - I'm monitoring comms on every PR.
- Chris Nyhuis (dagecko)
PCI review checklist