Composite action security #27091
-
Hello everyone!
|
Beta Was this translation helpful? Give feedback.
Replies: 9 comments
-
38ri581oq480:
I don’t see anything about that in the Metadata syntax documentation. For Docker and Javascript actions, yes, but I see no such thing for composite actions.
38ri581oq480:
The key will remain in the agent and the agent isn’t stopped, so yes, it stays available on the machine. On a GitHub hosted runner the impact should be limited because the runner VM is destroyed at the end of the job, on a self-hosted runner the stray ssh-agent might be more troublesome. Theoretically you could limit the impact by limiting the lifetime of the key inside the SSH agent (see the |
Beta Was this translation helpful? Give feedback.
-
Should I rewrite this action as Docker or Javascript one to add ssh cleanup steps or is it 100% safe to use as is, if it is only running with GitHub hosted runners? |
Beta Was this translation helpful? Give feedback.
-
It’s up to you whether it’s safe enough for your use case and security requirements with the current constraints. What I will say is that I wouldn’t offer it in the Marketplace without a cleanup process that makes sure the started |
Beta Was this translation helpful? Give feedback.
-
Hey there! |
Beta Was this translation helpful? Give feedback.
-
I’m not going to pretend anything is 100% secure. I will point out the security flaws I still see though:
|
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
38ri581oq480:
I’d name it
38ri581oq480:
I’m afraid not, unless there is some undocumented
38ri581oq480:
The
38ri581oq480:
Not what I was thinking of, but it should work! The point is that the process table (what you get e.g. with |
Beta Was this translation helpful? Give feedback.
-
… new day - new problems
CONs:
This is insane. ssh-agent + GitHub Actions is such a big problem, actually. 😑 😑 😑 I am almost giving up and switching to using Portainer on all swarm nodes…to deploy app from DockerHub webhook. So sad story 😦 |
Beta Was this translation helpful? Give feedback.
-
38ri581oq480:
This seems odd. It should be used, but the user (and thus home directory) might change inside the container. Also SSH ignores config files if they’re not owned by the user in question, or access rights are too wide. |
Beta Was this translation helpful? Give feedback.
I don’t see anything about that in the Metadata syntax documentation. For Docker and Javascript actions, yes, but I see no such thing for composite actions.
The key will remain in the agent and the agent isn’t stopped, so yes, it stays available on the machine. On a GitHub hosted runner the impact should be limited because the runner VM is destroyed at the end of the job, on a self-hosted runner the stray ssh-agent might be more trou…