diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 84ce2599a06c..1a2db671c0ea 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1,2 @@ +.github/workflows/ @AndrewGable @coleaeason @rafecolton * @Expensify/pullerbear diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 000000000000..ce66fd67a2c9 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1 @@ +If you've found a vulnerability, please email security@expensify.com with the subject `Vulnerability Report` instead of creating an issue. diff --git a/.github/workflows/README.md b/.github/workflows/README.md new file mode 100644 index 000000000000..ff6727d674c0 --- /dev/null +++ b/.github/workflows/README.md @@ -0,0 +1,17 @@ +# [Expensify.cash](https://expensify.cash) GitHub Workflows + +## Security Rules 🔐 +1. Do **not** use `pull_request_target` trigger unless an external fork needs access to secrets, or a _write_ `GITHUB_TOKEN`. +1. Do **not ever** write a `pull_request_target` trigger with an explicit PR checkout, e.g. using `actions/checkout@v2`. This is [discussed further here](https://securitylab.github.com/research/github-actions-preventing-pwn-requests) +1. **Do use** the `pull_request` trigger as it does not send internal secrets and only grants a _read_ `GITHUB_TOKEN`. +1. If an external action needs access to any secret (`GITHUB_TOKEN` or internal secret), use the commit hash of the workflow to prevent a modification of underlying source code at that version. For example: + 1. **Bad:** `hmarr/auto-approve-action@v2.0.0` Relies on the tag + 1. **Good:** `hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd` Explicit Git hash +1. When creating secrets, use tightly scoped secrets that only allow access to that specific action's requirement +1. Review all modifications to our workflows with extra scrutiny, it is important to get it correct the first time. +1. Test workflow changes in your own public fork, for example: https://github.com/Andrew-Test-Org/Public-Test-Repo +1. Only trusted users will be allowed write access to the repository, however, it's good to add logic checks in actions to prevent human error. + +## Further Reading 📖 +1. https://securitylab.github.com/research/github-actions-preventing-pwn-requests +1. https://stackoverflow.com/a/62143130/1858217 diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml index b1b0f8525c43..b1faf6401c64 100644 --- a/.github/workflows/automerge.yml +++ b/.github/workflows/automerge.yml @@ -12,16 +12,25 @@ jobs: runs-on: ubuntu-latest steps: + - name: Export Files Changed + id: changed + # Version: 3.3.0 + uses: futuratrepadeira/changed-files@1d252c611c64289d35243fc37ece7323ea5e93e1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Check for an auto approve - uses: hmarr/auto-approve-action@v2.0.0 + # Version: 2.0.0 + uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd with: github-token: ${{ secrets.GITHUB_TOKEN }} - if: github.event.label.name == 'automerge' + if: github.event.label.name == 'automerge' && github.actor == 'OSBotify' && steps.changed.outputs.files_updated == 'android/app/build.gradle ios/ExpensifyCash/Info.plist ios/ExpensifyCashTests/Info.plist package-lock.json package.json' && steps.changed.outputs.files_created == '' && steps.changed.outputs.files_deleted == '' - name: Check for an auto merge - uses: pascalgn/automerge-action@v0.9.0 + # Version: 0.12.0 + uses: pascalgn/automerge-action@c9bd1823770819dc8fb8a5db2d11a3a95fbe9b07 env: - GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all # the other workflows with the same change diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 3e0e130309e1..4c695e248b93 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -1,4 +1,4 @@ -name: "CLA Assistant" +name: CLA Assistant on: issue_comment: @@ -10,12 +10,13 @@ jobs: CLA: runs-on: ubuntu-latest steps: - - name: "CLA Assistant" + - name: CLA Assistant if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' - uses: cla-assistant/github-action@v2.0.2-alpha + # Version: 2.0.2-alpha + uses: cla-assistant/github-action@5a4ef1e1a1f75bceafd9b12704f8a6da576bcf14 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PERSONAL_ACCESS_TOKEN : ${{ secrets.BOTIFY_TOKEN }} + PERSONAL_ACCESS_TOKEN : ${{ secrets.OS_BOTIFY_TOKEN }} with: path-to-signatures: '${{ github.repository }}/cla.json' path-to-document: 'https://github.com/${{ github.repository }}/blob/master/CLA.md' diff --git a/.github/workflows/version.yml b/.github/workflows/version.yml index 947778b7b55b..c1be3a70324e 100644 --- a/.github/workflows/version.yml +++ b/.github/workflows/version.yml @@ -9,10 +9,11 @@ jobs: runs-on: ubuntu-16.04 steps: - - uses: actions/checkout@v2 + # Version: 2.3.4 + - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f with: fetch-depth: 0 - token: ${{ secrets.BOTIFY_TOKEN }} + token: ${{ secrets.OS_BOTIFY_TOKEN }} - name: Setup Node uses: actions/setup-node@v1 @@ -45,12 +46,13 @@ jobs: run: git push --tags - name: Create Pull Request - uses: repo-sync/pull-request@v2 + # Version: 2.4.3 + uses: repo-sync/pull-request@33777245b1aace1a58c87a29c90321aa7a74bd7d with: source_branch: version-bump-${{ github.sha }} destination_branch: "master" pr_label: "automerge" - github_token: ${{ secrets.BOTIFY_TOKEN }} + github_token: ${{ secrets.OS_BOTIFY_TOKEN }} # This Slack step is duplicated in all workflows, if you make a change to this step, make sure to update all # the other workflows with the same change diff --git a/.github/workflows/web.yml b/.github/workflows/web.yml index 2859e361ebb2..302f87c54c8b 100644 --- a/.github/workflows/web.yml +++ b/.github/workflows/web.yml @@ -31,7 +31,8 @@ jobs: pip3 install cloudflare - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v1 + # Version: 1.5.5 + uses: aws-actions/configure-aws-credentials@e97d7fbc8e0e5af69631c13daa0f4b5a8d88165b with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e1a992e6d5e3..d872edd51aba 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -11,7 +11,7 @@ This project and everyone participating in it is governed by the Expensify Code If you have a question, we ask that you do not create an issue, and instead email it to reactnative@expensify.com. To ask realtime questions while you're working on your issue, you can join our slack channel. Just send an email to reactnative@expensify.com with the subject "Slack Channel Invite" and we'll send you an invite! ## Reporting Vulnerabilities -If you've found a vulnerability, please email reactnative@expensify.com with the subject `Vulnerability Report` instead of creating an issue. +If you've found a vulnerability, please email security@expensify.com with the subject `Vulnerability Report` instead of creating an issue. ## Filing Issues If you'd like to create a new issue, please first make sure the issue does not exist in the [issue list](https://github.com/Expensify/ReactNativeChat/issues). When creating a new issue, please include all the required information on the issue template. diff --git a/README.md b/README.md index d483dbc98bd5..9cb6e3d5cbf5 100644 --- a/README.md +++ b/README.md @@ -257,7 +257,7 @@ The GitHub workflows require a large list of secrets to deploy, notify and test 3. `ios/chat_expensify_appstore.mobileprovision` 4. `ios/Certificates.p12.gpg` 2. `SLACK_WEBHOOK` - Sends Slack notifications via Slack WebHook https://expensify.slack.com/services/B01AX48D7MM -3. `BOTIFY_TOKEN` - Personal access token for @Botify user in GitHub +3. `OS_BOTIFY_TOKEN` - Personal access token for @OSBotify user in GitHub 4. `CSC_LINK` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers 5. `CSC_KEY_PASSWORD` - Required to be set for desktop code signing: https://www.electron.build/code-signing.html#travis-appveyor-and-other-ci-servers 6. `APPLE_ID` - Required for notarizing desktop code in `desktop/notarize.js`