Merge pull request Expensify#1006 from Expensify/andrew-actions-lockdown

Further lock down GitHub actions

.github/CODEOWNERS

@@ -1 +1,2 @@
+.github/workflows/ @AndrewGable @coleaeason @rafecolton
 * @Expensify/pullerbear

.github/SECURITY.md

@@ -0,0 +1 @@
+If you've found a vulnerability, please email [email protected] with the subject `Vulnerability Report` instead of creating an issue.

.github/workflows/README.md

@@ -0,0 +1,17 @@
+# [Expensify.cash](https://expensify.cash) GitHub Workflows
+
+## Security Rules 🔐
+1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`.
+1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests)
+1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`.   
+1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example:
+    1. **Bad:** `hmarr/[email protected]` Relies on the tag
+    1. **Good:** `hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd` Explicit Git hash
+1. When creating secrets, use tightly scoped secrets that only allow access to that specific action's requirement
+1. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time.
+1. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo
+1. Only trusted users will be allowed write access to the repository, however, it's good to add logic checks in actions to prevent human error.
+
+## Further Reading 📖
+1. https://securitylab.github.com/research/github-actions-preventing-pwn-requests
+1. https://stackoverflow.com/a/62143130/1858217

.github/workflows/automerge.yml

@@ -12,16 +12,25 @@ jobs:
         runs-on: ubuntu-latest
 
         steps:
+            - name: Export Files Changed
+              id: changed
+              # Version: 3.3.0
+              uses: futuratrepadeira/changed-files@1d252c611c64289d35243fc37ece7323ea5e93e1
+              with:
+                repo-token: ${{ secrets.GITHUB_TOKEN }}
+
             - name: Check for an auto approve
-              uses: hmarr/[email protected]
+              # Version: 2.0.0
+              uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd
               with:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
-              if: github.event.label.name == 'automerge'
+              if: github.event.label.name == 'automerge' && github.actor == 'OSBotify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == ''
 
             - name: Check for an auto merge
-              uses: pascalgn/[email protected]
+              # Version: 0.12.0
+              uses: pascalgn/automerge-action@c9bd1823770819dc8fb8a5db2d11a3a95fbe9b07
               env:
-                  GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
             # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all
             # the other workflows with the same change

.github/workflows/cla.yml

@@ -1,4 +1,4 @@
-name: "CLA Assistant"
+name: CLA Assistant
 
 on:
     issue_comment:
@@ -10,12 +10,13 @@ jobs:
     CLA:
         runs-on: ubuntu-latest
         steps:
-            - name: "CLA Assistant"
+            - name: CLA Assistant
               if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-              uses: cla-assistant/[email protected]
+              # Version: 2.0.2-alpha
+              uses: cla-assistant/github-action@5a4ef1e1a1f75bceafd9b12704f8a6da576bcf14
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  PERSONAL_ACCESS_TOKEN : ${{ secrets.BOTIFY_TOKEN }}
+                  PERSONAL_ACCESS_TOKEN : ${{ secrets.OS_BOTIFY_TOKEN }}
               with:
                   path-to-signatures: '${{ github.repository }}/cla.json'
                   path-to-document: 'https://github.com/${{ github.repository }}/blob/master/CLA.md'

.github/workflows/version.yml

@@ -9,10 +9,11 @@ jobs:
         runs-on: ubuntu-16.04
 
         steps:
-            - uses: actions/checkout@v2
+            # Version: 2.3.4
+            - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
               with:
                   fetch-depth: 0
-                  token: ${{ secrets.BOTIFY_TOKEN }}
+                  token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
             - name: Setup Node
               uses: actions/setup-node@v1
@@ -45,12 +46,13 @@ jobs:
               run: git push --tags
 
             - name: Create Pull Request
-              uses: repo-sync/pull-request@v2
+              # Version: 2.4.3
+              uses: repo-sync/pull-request@33777245b1aace1a58c87a29c90321aa7a74bd7d
               with:
                     source_branch: version-bump-${{ github.sha }}
                     destination_branch: "master"
                     pr_label: "automerge"
-                    github_token: ${{ secrets.BOTIFY_TOKEN }}
+                    github_token: ${{ secrets.OS_BOTIFY_TOKEN }}
 
             # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all
             # the other workflows with the same change

.github/workflows/web.yml

@@ -31,7 +31,8 @@ jobs:
                pip3 install cloudflare
 
         - name: Configure AWS Credentials
-          uses: aws-actions/configure-aws-credentials@v1
+          # Version: 1.5.5
+          uses: aws-actions/configure-aws-credentials@e97d7fbc8e0e5af69631c13daa0f4b5a8d88165b
           with:
             aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
             aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

CONTRIBUTING.md

@@ -11,7 +11,7 @@ This project and everyone participating in it is governed by the Expensify Code
 If you have a question, we ask that you do not create an issue, and instead email it to [email protected]. To ask realtime questions while you're working on your issue, you can join our slack channel. Just send an email to [email protected] with the subject "Slack Channel Invite" and we'll send you an invite!
 
 ## Reporting Vulnerabilities
-If you've found a vulnerability, please email reactnative@expensify.com with the subject `Vulnerability Report` instead of creating an issue.
+If you've found a vulnerability, please email security@expensify.com with the subject `Vulnerability Report` instead of creating an issue.
 
 ## Filing Issues
 If you'd like to create a new issue, please first make sure the issue does not exist in the [issue list](https://github.com/Expensify/ReactNativeChat/issues). When creating a new issue, please include all the required information on the issue template.

README.md

@@ -257,7 +257,7 @@ The GitHub workflows require a large list of secrets to deploy, notify and test
     3. `ios/chat_expensify_appstore.mobileprovision`
     4. `ios/Certificates.p12.gpg`
 2. `SLACK_WEBHOOK` - Sends Slack notifications via Slack WebHook https://expensify.slack.com/services/B01AX48D7MM
-3. `BOTIFY_TOKEN` - Personal access token for @Botify user in GitHub
+3. `OS_BOTIFY_TOKEN` - Personal access token for @OSBotify user in GitHub
 4. `CSC_LINK` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers
 5. `CSC_KEY_PASSWORD` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers
 6. `APPLE_ID` - Required for notarizing desktop code in `desktop/notarize.js`