Skip to content

Latest commit

 

History

History
 
 

workflows

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
android.yml
android.yml
 
 
automerge.yml
automerge.yml
 
 
cla.yml
cla.yml
 
 
desktop.yml
desktop.yml
 
 
e2e.yml
e2e.yml
 
 
ios.yml
ios.yml
 
 
lint.yml
lint.yml
 
 
test.yml
test.yml
 
 
version.yml
version.yml
 
 
web.yml
web.yml
 
 

README.md

Expensify.cash GitHub Workflows

Security Rules 🔐

  1. Do not use pull_request_target trigger unless an external fork needs access to secrets, or a write GITHUB_TOKEN.
  2. Do not ever write a pull_request_target trigger with an explicit PR checkout, e.g. using actions/checkout@v2. This is discussed further here
  3. Do use the pull_request trigger as it does not send internal secrets and only grants a read GITHUB_TOKEN.
  4. If an external action needs access to any secret (GITHUB_TOKEN or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
    1. Bad: hmarr/[email protected] Relies on the tag
    2. Good: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd Explicit Git hash
  5. When creating secrets, use tightly scoped secrets that only allow access to that specific action's requirement
  6. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time.
  7. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo
  8. Only trusted users will be allowed write access to the repository, however, it's good to add logic checks in actions to prevent human error.

Further Reading 📖

  1. https://securitylab.github.com/research/github-actions-preventing-pwn-requests
  2. https://stackoverflow.com/a/62143130/1858217