Security Violation: Golang Action: How to change GITHUB_WORKSPACE and checkout to that dir?

There is a problem with the default Golang Action from Github that it checks out code into the ${GITHUB_WORKSPACE}/work/ directory.

This is not compliant to older Golang runtimes that do not support outside-of-the-${GOPATH} location for builds and package support.

I am currently running into a problem checking out supporting packages, that compiles to a binary, and needs to inspect my code. 

The problem is that remote packages are not allowed to import absolute pathnames, as per Golang security requirements (to protect the user from malicious package imports).

Forcing the code checked out into this non-standard /work/ directory violates that standard.

What I have to do to work around this is to not use the Github golang action and instead manually checkout my code, and forcing a change directory everywhere to the proper workspace.

https://github.com/eduncan911/github-actions/blob/8e9489d44a517d3855a4db557a1383bb796919b4/.github/workflows/go.yml

name: Go
on: [push]
jobs:

  build:
    name: Build
    runs-on: ubuntu-latest
    strategy:
      fail-fast: true

    steps:

    - name: Set up
      uses: actions/setup-go@v1
      with:
        go-version: 1.12
      id: go

    - name: Check out code the Go-Way
      run: go get github.com/${GITHUB_REPOSITORY}

    - name: Get dependencies
      run: |
        env
        cd ~/go/src/github.com/${GITHUB_REPOSITORY}
        go get -v -t -d ./...
        if [-f Gopkg.toml]; then
            curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
            dep ensure
        fi
        go get -v github.com/mattn/goveralls
        go install -v github.com/mattn/goveralls

    - name: Build
      run: |
        cd ~/go/src/github.com/${GITHUB_REPOSITORY}
        go build -v ./...

    - name: Test
      run: |
        cd ~/go/src/github.com/${GITHUB_REPOSITORY}
        go test -covermode count -coverprofile cover.out
        ~/go/bin/goveralls -v -service github-actions -repotoken=${{ secrets.coveralls }} -coverprofile=cover.out

    - name: Benchmark
      run: |
        cd ~/go/src/github.com/${GITHUB_REPOSITORY}
        go test -test.run Benchmark -cpu 1 -bench .

As you can see, this is pretty annoying to CD each time I want to perform an action.

PS: Since the Jobs -> Job -> ENV option does not expand ENV vars, that doesn’t seem to be an agnostic option either.  Because it would require hardcoding the username and repository.  See this issue: https://github.community/t5/GitHub-Actions/ENV-vars-are-not-expanded-causing-DRY-violations/m-p/34498#M1939

PSS: The original problem happens when trying to run the newly installed goveralls binary.  It tries to inspect the files located in the cover.out file (which is a list of absolute paths on the system).  Golang only allows the import of relative paths to the $GOPATH (which is ~/go/src/) when tools are installed with go get ….

4 Likes