From 55ee70e06ba928ca64d8d3cee9783b109dc5c9e6 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Tue, 4 Jan 2022 09:43:40 -0800 Subject: [PATCH] Check that actions specify hashes instead of allowlist (#24042) * Check that actions specify hashes instead of allowlist * Fixes for unhashed version * Update actions-workflows.js --- .github/allowed-actions.js | 39 --------------------------------- .github/workflows/codeql.yml | 4 ++-- tests/unit/actions-workflows.js | 14 +++++------- 3 files changed, 7 insertions(+), 50 deletions(-) delete mode 100644 .github/allowed-actions.js diff --git a/.github/allowed-actions.js b/.github/allowed-actions.js deleted file mode 100644 index b5dc6702ef..0000000000 --- a/.github/allowed-actions.js +++ /dev/null @@ -1,39 +0,0 @@ -// This is an AllowList of GitHub Actions that are approved for use in this project. -// If a new or existing workflow file is updated to use an action or action version not listed here, -// CI will fail and the action will need to be audited by the docs engineering team before it -// can be added it this list. - -export default [ - 'actions/cache@c64c572235d810460d0d6876e9c705ad5002b353', // v2.1.6 - 'actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579', // v2.4.0 - 'actions/github-script@2b34a689ec86a68d8ab9478298f91d5401337b7d', // v4.0.2 - 'actions/labeler@5f867a63be70efff62b767459b009290364495eb', // v2.2.0 - 'actions/setup-node@04c56d2f954f1e4c69436aa54cfef261a018f458', // v2.5.0 - 'actions/stale@cdf15f641adb27a71842045a94023bef6945e3aa', // v4.0.0 - 'actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074', // v2.2.4 - 'alex-page/github-project-automation-plus@bb266ff4dde9242060e2d5418e120a133586d488', // v0.8.1 - 'andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90', // v1.0.4 - 'cschleiden/actions-linter@caffd707beda4fc6083926a3dff48444bc7c24aa', // uses github-actions-parser v0.23.0 - 'lee-dohm/close-matching-issues@e9e43aad2fa6f06a058cedfd8fb975fd93b56d8f', // v2.1.0 - 'dawidd6/action-delete-branch@47743101a121ad657031e6704086271ca81b1911', // v3.0.2 - 'dawidd6/action-download-artifact@af92a8455a59214b7b932932f2662fdefbd78126', // v2.15.0 - 'dorny/paths-filter@eb75a1edc117d3756a18ef89958ee59f9500ba58', - 'trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b', // v1.2.4 - 'github/codeql-action/analyze@v1', - 'github/codeql-action/init@v1', - 'juliangruber/approve-pull-request-action@c530832d4d346c597332e20e03605aa94fa150a8', - 'juliangruber/find-pull-request-action@db875662766249c049b2dcd85293892d61cb0b51', // v1.5.0 - 'juliangruber/read-file-action@e0a316da496006ffd19142f0fd594a1783f3b512', - 'lee-dohm/no-response@9bb0a4b5e6a45046f00353d5de7d90fb8bd773bb', - 'peter-evans/create-issue-from-file@b4f9ee0a9d4abbfc6986601d9b1a4f8f8e74c77e', - 'peter-evans/create-or-update-comment@5221bf4aa615e5c6e95bb142f9673a9c791be2cd', - 'peter-evans/create-pull-request@7380612b49221684fefa025244f2ef4008ae50ad', // v3.10.1 - 'peter-evans/find-comment@d2dae40ed151c634e4189471272b57e76ec19ba8', // v1.3.0 - 'rachmari/actions-add-new-issue-to-column@1a459ef92308ba7c9c9dc2fcdd72f232495574a9', - 'repo-sync/github-sync@3832fe8e2be32372e1b3970bbae8e7079edeec88', - 'repo-sync/pull-request@65194d8015be7624d231796ddee1cd52a5023cb3', // v2.6 - 'someimportantcompany/github-actions-slack-message@f8d28715e7b8a4717047d23f48c39827cacad340', // v1.2.2 - 'tjenkinson/gh-action-auto-merge-dependency-updates@c47f6255e06f36e84201ee940466e731ffa6e885', // v1.1.1 - 'Bhacaz/checkout-files@c8f01756bfd894ba746d5bf48205e19000b0742b', // v1.0.0 - 'EndBug/add-and-commit@2bdc0a61a03738a1d1bda24d566ad0dbe3083d87', -] diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c2335b2113..2838e9d428 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -31,8 +31,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - - uses: github/codeql-action/init@v1 + - uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5 with: languages: javascript # comma separated list of values from {go, python, javascript, java, cpp, csharp} (not YET ruby, sorry!) - - uses: github/codeql-action/analyze@v1 + - uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5 continue-on-error: true diff --git a/tests/unit/actions-workflows.js b/tests/unit/actions-workflows.js index c9e79837e7..143f4b8391 100644 --- a/tests/unit/actions-workflows.js +++ b/tests/unit/actions-workflows.js @@ -3,8 +3,7 @@ import path from 'path' import fs from 'fs' import yaml from 'js-yaml' import flat from 'flat' -import { chain, difference, get } from 'lodash-es' -import allowedActions from '../../.github/allowed-actions.js' +import { chain, get } from 'lodash-es' const __dirname = path.dirname(fileURLToPath(import.meta.url)) const workflowsDir = path.join(__dirname, '../../.github/workflows') const workflows = fs @@ -31,16 +30,13 @@ const scheduledWorkflows = workflows const allUsedActions = chain(workflows).map(actionsUsedInWorkflow).flatten().uniq().sort().value() describe('GitHub Actions workflows', () => { - test('all used actions are allowed in .github/allowed-actions.js', () => { + test('all used actions are listed', () => { expect(allUsedActions.length).toBeGreaterThan(0) - const unusedActions = difference(allowedActions, allUsedActions) - expect(unusedActions).toEqual([]) }) - test('all allowed actions by .github/allowed-actions.js are used by at least one workflow', () => { - expect(allowedActions.length).toBeGreaterThan(0) - const disallowedActions = difference(allUsedActions, allowedActions) - expect(disallowedActions).toEqual([]) + test.each(allUsedActions)('requires specific hash: %p', (actionName) => { + const actionRegexp = /^[A-Za-z0-9-/]+@[0-9a-f]{40}$/ + expect(actionName).toMatch(actionRegexp) }) test('no scheduled workflows run on the hour', () => {