-
Notifications
You must be signed in to change notification settings - Fork 11.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
workflows: Add a job for auditing release assets
This checks to ensure that uploads are only made by 'approved' uploaders, which is just everyone who has uploaded a release asset in the past. We could do more, but this is just a simple implementation so we can put something in place and see how it works. For more discussion see: https://discourse.llvm.org/t/rfc-improve-binary-security/78121
- Loading branch information
Showing
2 changed files
with
85 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| import github | ||
| import sys | ||
|
|
||
| token = sys.argv[1] | ||
|
|
||
| gh = github.Github(login_or_token=token) | ||
| repo = gh.get_repo('llvm/llvm-project') | ||
|
|
||
| uploaders = set([ | ||
| 'DimitryAndric', | ||
| 'stefanp-ibm', | ||
| 'lei137', | ||
| 'omjavaid', | ||
| 'nicolerabjohn', | ||
| 'amy-kwan', | ||
| 'mandlebug', | ||
| 'zmodem', | ||
| 'androm3da', | ||
| 'tru', | ||
| 'rovka', | ||
| 'rorth', | ||
| 'quinnlp', | ||
| 'kamaub', | ||
| 'abrisco', | ||
| 'jakeegan', | ||
| 'maryammo', | ||
| 'tstellar', | ||
| 'github-actions[bot]' | ||
| ]) | ||
|
|
||
| for release in repo.get_releases(): | ||
| print("Release:", release.title) | ||
| for asset in release.get_assets(): | ||
| created_at = asset.created_at | ||
| updated_at = "" if asset.created_at == asset.updated_at else asset.updated_at | ||
| print(f'{asset.name} : {asset.uploader.login} [{created_at} {updated_at}] ( {asset.download_count} )') | ||
| if asset.uploader.login not in uploaders: | ||
| print("Invalid uploader") | ||
| sys.exit(1) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| name: Release Asset Audit | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| schedule: | ||
| # * is a special character in YAML so you have to quote this string | ||
| # Run once an hour | ||
| - cron: '5 * * * *' | ||
|
|
||
| pull_request: | ||
| paths: | ||
| - ".github/workflows/release-asset-audit.py" | ||
| - ".github/workflows/release-asset-audit.yml" | ||
|
|
||
| permissions: | ||
| contents: read # Default everything to read-only | ||
|
|
||
|
|
||
| jobs: | ||
| audit: | ||
| name: "Release Asset Audit" | ||
| runs-on: ubuntu-22.04 | ||
| if: github.repository == 'llvm/llvm-project' | ||
| steps: | ||
| - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6 | ||
| - name: "Run Audit Script" | ||
| env: | ||
| GITHUB_TOKEN: ${{ github.token }} | ||
| run: | | ||
| pip install --require-hashes -r ./llvm/utils/git/requirements.txt | ||
| python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN | ||
| - name: "File Issue" | ||
| if: failure() | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1 | ||
| with: | ||
| github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }} | ||
| script: | | ||
| const issue = await github.rest.issues.create({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| title: "Release Asset Audit Failed", | ||
| body: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`, | ||
| labels: ['infrastructure'] | ||
| }); | ||
| console.log(issue); |