Skip to content

workflows/release-binaries: Remove .git/config file from artifacts #106310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 31, 2024
Merged

workflows/release-binaries: Remove .git/config file from artifacts #106310

merged 3 commits into from
Aug 31, 2024

Conversation

tstellar
Copy link
Collaborator

The .git/config file contains an auth token that can be leaked if the .git directory is included in a workflow artifact.

@tstellar
workflows/release-binaries: Remove .git directory from artifacts
394676b 
The .git/config file contains a auth token that can be leaked if
the .git directory is included in a workflow artifact.
@tstellar tstellar requested review from tru and boomanaiden154 August 27, 2024 23:34
@llvmbot
Copy link
Member

llvmbot commented Aug 27, 2024

@llvm/pr-subscribers-github-workflow

Author: Tom Stellard (tstellar)

Changes

The .git/config file contains an auth token that can be leaked if the .git directory is included in a workflow artifact.

Full diff: https://github.com/llvm/llvm-project/pull/106310.diff

1 Files Affected:

  • (modified) .github/workflows/release-binaries-save-stage/action.yml (+4)
diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index e2f3eeadd15bea..63d00255f6d8fb 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -18,6 +18,10 @@ runs:
     - name: Package Build and Source Directories
       shell: bash
       run: |
+        # Remove git directory so we avoid leaking secrets stored in .git/config.
+        # See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
+        # This also helps reduce the size of the archive.
+        rm -Rf .git/
         # Windows does not support symlinks, so we need to dereference them.
         tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst
         mv ../llvm-project.tar.zst .

boomanaiden154
boomanaiden154 approved these changes Aug 27, 2024
View reviewed changes
Copy link
Contributor

@boomanaiden154 boomanaiden154 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you come across this from the article or was there some scanner involved here?

I'm assuming the token by default won't have a large amount of permissions though and should be ephemeral?

Speaking of that, do we want to tack on a

permissions:
  contents: read

at the top?

@tstellar
Copy link
Collaborator Author

Did you come across this from the article or was there some scanner involved here?

It's from the article linked in the comment.

I'm assuming the token by default won't have a large amount of permissions though and should be ephemeral?

The called workflow inherits the caller permissions, so the tokens should be read-only and only usable while the workflow is running.

Speaking of that, do we want to tack on a

permissions:
  contents: read

I'm not sure if the composite actions support top-level permissions, but I'll try it.

@boomanaiden154
Copy link
Contributor

I'm not sure if the composite actions support top-level permissions, but I'll try it.

Ah, it's an action. I did not realize that.

@tstellar
Only delete .git/config
e6a41bc 
Deleting the whole .git directory breaks the VersionFromVCS computation
for stage2 and stage3.
tru
tru approved these changes Aug 28, 2024
View reviewed changes
Copy link
Collaborator

@tru tru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tstellar tstellar changed the title workflows/release-binaries: Remove .git directory from artifacts workflows/release-binaries: Remove .git/config file from artifacts Aug 29, 2024
@tstellar tstellar merged commit ef50970 into llvm:main Aug 31, 2024
35 of 39 checks passed
@tstellar tstellar added this to the LLVM 19.X Release milestone Aug 31, 2024
@tstellar
Copy link
Collaborator Author

/cherry-pick ef50970

llvmbot pushed a commit to llvmbot/llvm-project that referenced this pull request Aug 31, 2024
@tstellar @llvmbot
workflows/release-binaries: Remove .git/config file from artifacts (l…
b2f366f 
…lvm#106310)

The .git/config file contains an auth token that can be leaked if the
.git directory is included in a workflow artifact.

(cherry picked from commit ef50970)
@llvmbot
Copy link
Member

llvmbot commented Aug 31, 2024

/pull-request #106821

tru pushed a commit to llvmbot/llvm-project that referenced this pull request Sep 1, 2024
@tstellar @tru
workflows/release-binaries: Remove .git/config file from artifacts (l…
c21b039 
…lvm#106310)

The .git/config file contains an auth token that can be leaked if the
.git directory is included in a workflow artifact.

(cherry picked from commit ef50970)
@thewtex thewtex mentioned this pull request Feb 10, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tru tru tru approved these changes

@boomanaiden154 boomanaiden154 boomanaiden154 approved these changes

Assignees
No one assigned
Labels
github:workflow
Projects
LLVM Release Status
Status: Done
Milestone
LLVM 19.X Release
Development

Successfully merging this pull request may close these issues.
4 participants
@tstellar @llvmbot @boomanaiden154 @tru