From 865a1743f7445080f35f8f511d4419c6069db291 Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Mon, 29 Jul 2024 16:41:53 -0400 Subject: [PATCH] e2e tests: Use beacon token. We've been getting a few security reports complaining about the use of pull_request_target. For the record, this token was only ever used for testing, and was not an actual security vulnerability. That said, we don't particularly enjoy having to explain this again and again, so move to the beacon token to hopefully quell these reports. The beacon token unfortunately does not support staging, so removing that e2e test for the time being. Signed-off-by: Billy Lynch --- .github/workflows/e2e.yaml | 64 ++++++++------------------------------ 1 file changed, 13 insertions(+), 51 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 10577589..82b994f8 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -2,16 +2,13 @@ name: E2E on: push: - pull_request_target: - branches: ["main"] + pull_request: workflow_dispatch: jobs: e2e: runs-on: ubuntu-latest permissions: - id-token: write # Enable OIDC - # The rest of these are sanity-check settings, since I'm not sure if the # org default is permissive or restricted. # See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token @@ -20,6 +17,7 @@ jobs: checks: none contents: read deployments: none + id-token: none issues: none packages: none pages: none @@ -30,18 +28,6 @@ jobs: steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - # Use the merge commit if type is pull_request/pull_request_target, - # else use the default ref. - # By default pull_request_target will use the base branch as the - # target since it was originally intended for trusted workloads. - # However, we need to use this to have access to the OIDC creds - # for the e2e tests, so insert our own logic here. - # This is effectively a ternary of the form ${{ && || }}. - # See https://docs.github.com/en/actions/learn-github-actions/expressions for more details. - ref: - ${{ startsWith(github.event_name, 'pull_request') && - format('refs/pull/{0}/merge', github.event.number) || github.ref }} - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 @@ -49,6 +35,13 @@ jobs: go-version: "1.22" check-latest: true + - name: Get test OIDC token + uses: sigstore-conformance/extremely-dangerous-public-oidc-beacon@main + + - name: export OIDC token + run: | + echo "SIGSTORE_ID_TOKEN=$(cat ./oidc-token.txt)" >> $GITHUB_ENV + - name: e2e unit tests run: | set -e @@ -87,10 +80,9 @@ jobs: echo "========== gitsign verify ==========" gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ + --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" + --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" # Extra debug info git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text @@ -109,39 +101,9 @@ jobs: echo "========== gitsign verify ==========" gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ - --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" - - # Extra debug info - git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text - - name: Test Sign and Verify commit - staging - env: - GITSIGN_OIDC_ISSUER: "https://oauth2.sigstage.dev/auth" - GITSIGN_FULCIO_URL: "https://fulcio.sigstage.dev" - GITSIGN_REKOR_URL: "https://rekor.sigstage.dev" - run: | - set -e - - # Initialize with staging TUF root - https://github.com/sigstore/root-signing-staging - rm -rf ~/.sigstore - wget -O root.json -U "gitsign e2e test" https://tuf-repo-cdn.sigstage.dev/4.root.json - gitsign initialize --mirror=https://tuf-repo-cdn.sigstage.dev --root=root.json - - # Sign commit - git commit --allow-empty -S --message="Signed commit" - - # Verify commit - echo "========== git verify-commit ==========" - git verify-commit HEAD - - echo "========== gitsign verify ==========" - gitsign verify \ - --certificate-github-workflow-repository=${{ github.repository }} \ - --certificate-github-workflow-sha=${{ github.sha }} \ + --certificate-github-workflow-repository="sigstore-conformance/extremely-dangerous-public-oidc-beacon" \ --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \ - --certificate-identity="https://github.com/${{ github.workflow_ref }}" + --certificate-identity="https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon/.github/workflows/extremely-dangerous-oidc-beacon.yml@refs/heads/main" # Extra debug info git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text