Coder Social home page Coder Social logo

Comments (4)

aidansteele avatar aidansteele commented on August 22, 2024 1

@mykter My apologies for not responding significantly sooner. I must have misconfigured my GitHub notification settings as I don't recall getting an email about this.

With regards to this code snippet you referenced:

actions2aws/api/api.go

Lines 88 to 91 in bcc43f9

if run.Repository.ID != run.HeadRepository.ID && run.Repository.ID != 0 {
// this is a fork, no credentials for you
return nil, errors.New("no credentials for a fork")
}

That code will return an error if the CI run is for a commit in a fork of the repo. If the commit is pushed to the origin, it will run - but other repos (forks) will fail. My implicit assumption is that code committed to any branch in the origin is trustworthy, but I should make this assumption explicit as you rightly point out.

Regarding the usage of GitHub secrets: again you are correct in that these aren't highly sensitive secrets. They're more there for protection of information from casual snooping. If they were for some reason printed to log files it shouldn't be a big deal.

from actions2aws.

kapilt avatar kapilt commented on August 22, 2024

this still uses github secrets, which are only executed against trunk/master/main not against prs.

from actions2aws.

mykter avatar mykter commented on August 22, 2024

True, it wouldn't work directly in the example workflow given, however the two values stored in github secrets are the endpoint URL and account ID. Generally speaking you can't assume those two values are secrets in the same way that credentials are secret - they can get leaked in various ways, so our hypothetical attacker could replace the use of the 'secrets' with their actual static values.

Indeed, the goal of this tool as I understand it is to avoid the need to have secrets in GitHub - if we're doing that then you may as well do the simple option of storing AWS creds in GitHub.

from actions2aws.

mykter avatar mykter commented on August 22, 2024

That makes sense, thanks.

from actions2aws.

Related Issues (4)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.