Student Workflow protection

Hello! When setting up my automatic course grading on GitHub, I ran into a serious security problem: students can modify the workflow. This problem is quite old. More specifically:

  1. I create a new assignment with a template containing the grading.yml file with my testing setup, scripts and score submission.
  2. Student accepts the assignment.
  3. At this point, one can just modify grading.yml and, for example, skip testing, modify setup, print tokens, i.e run malicious code.

What I need is to work around this problem, or I’ll have to find another Classroom. I found some workarounds, but they aren’t very sophisticated:

  1. Create a webhook in the student repository that will trigger a workflow in a private repository, where only I can commit. That will solve the security problem, but students won’t be able to see pipelines logs and find what was wrong if anything fails. I can make the repository public, but that way they will be able to see any student’s pipelines logs.
  2. Create a webhook in the student repository that will send me and the student an email when there’s a commit with workflow changes. Not a solution for the security issue, but at least cheating will be noticed. False positives emails included :frowning:
  3. Use another CI system other than GitHub Actions, which is capable of prechecking workflow before running it.

How can I have both pipelines visible and security issues solved?

So, reusable workflows have audit events that allow you to see when they’re used.

You might be able to set your template to use a reusable workflow you control and then fail people who haven’t run it.

Essentially the client workflow is just a pointer.