Hello! When setting up my automatic course grading on GitHub, I ran into a serious security problem: students can modify the workflow. This problem is quite old. More specifically:
- I create a new assignment with a template containing the
grading.ymlfile with my testing setup, scripts and score submission.
- Student accepts the assignment.
- At this point, one can just modify
grading.ymland, for example, skip testing, modify setup, print tokens, i.e run malicious code.
What I need is to work around this problem, or I’ll have to find another Classroom. I found some workarounds, but they aren’t very sophisticated:
- Create a webhook in the student repository that will trigger a workflow in a private repository, where only I can commit. That will solve the security problem, but students won’t be able to see pipelines logs and find what was wrong if anything fails. I can make the repository public, but that way they will be able to see any student’s pipelines logs.
- Create a webhook in the student repository that will send me and the student an email when there’s a commit with workflow changes. Not a solution for the security issue, but at least cheating will be noticed. False positives emails included
- Use another CI system other than GitHub Actions, which is capable of prechecking workflow before running it.
How can I have both pipelines visible and security issues solved?