[jira] [Commented] (HADOOP-19868) ci: add security comments to github actions

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-19868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18075568#comment-18075568
 ] 

ASF GitHub Bot commented on HADOOP-19868:
-----------------------------------------

ajfabbri commented on code in PR #8450:
URL: https://github.com/apache/hadoop/pull/8450#discussion_r3126709800


##########
.github/workflows/tmpl_build_and_test.yml:
##########
@@ -86,6 +90,20 @@ jobs:
     name: Build Image ${{ inputs.os }}-${{ inputs.branch }}
     runs-on: ubuntu-24.04
     needs: [ precondition ]
+    # Security: this does not leak write access for our image repository to
+    # forked repos.
+    #
+    # We have `packages: write` permissions for our GITHUB_TOKEN below. 
However:
+    #
+    # - For `pull_request`, GitHub downgrades GITHUB_TOKEN permissions to
+    #   read-only.
+    # - For `push` triggers on a fork, the GITHUB_TOKEN retains write
+    #   permissions, but the `push` is happening in the context of the fork, 
not
+    #   the upstream repo.
+    # - For `pull_request_target` (risky), the write permission is
+    #   overridden by our repository's setting "Send write tokens to workflows
+    #   from pull requests" which should be disabled.
+    #   See https://issues.apache.org/jira/browse/INFRA-27839 for confirmation.

Review Comment:
   Yes. Will take some care to test existing actions and see if they break, but 
I will file a Jira for this. Edit: 
https://issues.apache.org/jira/browse/HADOOP-19870





> ci: add security comments to github actions
> -------------------------------------------
>
>                 Key: HADOOP-19868
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19868
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: test
>            Reporter: Aaron Fabbri
>            Assignee: Aaron Fabbri
>            Priority: Minor
>              Labels: pull-request-available
>
> Following up on HADOOP-19858, I have a patch for some `# Security:` comments 
> to add to our github actions to explain why each workflow is safe. 
> I'm also following up on INFRA-27839, just to double check they haven't 
> enabled any risky defaults. I'll add comments with any details I find.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org