Secure Communication Between Actions and App #24700
-
I maintain a GitHub App with the following flow:
Ideally, I’d like a way to verify that the upload in the second step comes from a GitHub process - basically, a shared secret, similar to how I can verify webhook payloads. I don’t want to require users of the App to manually configure an organization-level secret, and most are hesitant to grant the “secrets” permission required to setup such a secret via API upon installation. It would be great if Apps automatically had a shared secret associated with an installation, or similar. Does such functionality already exist, or if not, is there somewhere other than here I should be starting a request/discussion about servicing this use case? |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
I don’t think this functionality exists, but that’s an interesting idea… and I think there may be options to achieve this now. The first option is to use the
Then you can use the 200 or 401 response of this request to pass or fail the check.
The downside of this approach is that your validation of an upload must be synchronous because the token will expire the moment the Run completes – and so doing it in the background is not an option. Another option could be to implement an intermediary step: accept uploads without any authentication, but hold the uploads for processing until a GitHub Webhook provides you information required to determine the upload was genuine. For example,
For example, if I submit an upload for Does that help, or do you have any considerations these options miss? |
Beta Was this translation helpful? Give feedback.
-
The Using |
Beta Was this translation helpful? Give feedback.
-
romeara:
I agree! Hopefully, someone from GitHub sees this but their Roadmap is very full so it’s probably worth moving forward with a workaround if you need to deliver this in the next few quarters.
romeara:
I think there are arguments in favour and arguments against. The key argument against this is that these tokens are not designed to be used externally and a security audit from an especially cautious customer might flag it as a concern, “why is this Action exfiltrating our tokens?”. Personally, though, I think there is a strong justification for using these tokens externally if done so with security in mind. The tokens are described as a way to “authenticate on behalf of GitHub Actions” which is the intent of your implementation. The permissions configuration for these tokens enables a Workflow administrator (i.e: your customer) to confidently restrict the scope of the token down to the same level that a GitHub App has by default.
From the GitHub Apps Permissions documentation (emphasis mine):
My conclusion is that it’s justifiable, the key points that lead me to that conclusion:
|
Beta Was this translation helpful? Give feedback.
-
That is a very comprehensive analysis, thank you! based on what you’d provided, I’m leaning towards using the token, at least as a first iteration to improve upon the current situation. |
Beta Was this translation helpful? Give feedback.
-
You definitely don’t want to use the It isn’t official yet, but it may be the case you can generate a JWT using this action
And from there pass the JWT to your app to verify it. If the token doesn’t have what you need you can configure it further using third party services such as Vault or Authress. |
Beta Was this translation helpful? Give feedback.
I don’t think this functionality exists, but that’s an interesting idea… and I think there may be options to achieve this now.
The first option is to use the
GITHUB_TOKEN
associated with the Run, as this token will remain active while the Run is in progress. The upload endpoint of your App would accept theGITHUB_TOKEN
from the Action and use it to verify access to the target repository.Then you can use the 200 or 401 response of this request to pass or fail the check.