[llvm] workflows: Add a job for auditing release assets (PR #92829)

Mon May 20 15:23:30 PDT 2024

llvmbot wrote:




@llvm/pr-subscribers-github-workflow

Author: Tom Stellard (tstellar)

<details>
<summary>Changes</summary>

This checks to ensure that uploads are only made by 'approved' uploaders, which is just everyone who has uploaded a release asset in the past.

We could do more, but this is just a simple implementation so we can put something in place and see how it works.

For more discussion see:
https://discourse.llvm.org/t/rfc-improve-binary-security/78121

---
Full diff: https://github.com/llvm/llvm-project/pull/92829.diff


2 Files Affected:

- (added) .github/workflows/release-asset-audit.py (+40) 
- (added) .github/workflows/release-asset-audit.yml (+45) 


``````````diff

diff --git a/.github/workflows/release-asset-audit.py b/.github/workflows/release-asset-audit.py
new file mode 100644
index 0000000000000..02ba426293af6
--- /dev/null
+++ b/.github/workflows/release-asset-audit.py
@@ -0,0 +1,40 @@
+import github
+import sys
+
+token = sys.argv[1]
+
+gh = github.Github(login_or_token=token)
+repo = gh.get_repo('llvm/llvm-project')
+
+uploaders = set([
+    'DimitryAndric',
+    'stefanp-ibm',
+    'lei137',
+    'omjavaid',
+    'nicolerabjohn',
+    'amy-kwan',
+    'mandlebug',
+    'zmodem',
+    'androm3da',
+    'tru',
+    'rovka',
+    'rorth',
+    'quinnlp',
+    'kamaub',
+    'abrisco',
+    'jakeegan',
+    'maryammo',
+    'tstellar',
+    'github-actions[bot]'
+])
+
+for release in repo.get_releases():
+    print("Release:", release.title)
+    for asset in release.get_assets():
+        created_at = asset.created_at
+        updated_at = "" if asset.created_at == asset.updated_at else asset.updated_at
+        print(f'{asset.name} : {asset.uploader.login} [{created_at} {updated_at}] ( {asset.download_count} )')
+        if asset.uploader.login not in uploaders:
+          print("Invalid uploader")
+          sys.exit(1)
+
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
new file mode 100644
index 0000000000000..9d140527218ff
--- /dev/null
+++ b/.github/workflows/release-asset-audit.yml
@@ -0,0 +1,45 @@
+name: Release Asset Audit
+
+on:
+  workflow_dispatch:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    # Run once an hour
+    - cron:  '5 * * * *'
+
+  pull_request:
+    paths:
+      - ".github/workflows/release-asset-audit.py"
+      - ".github/workflows/release-asset-audit.yml"
+
+permissions:
+  contents: read # Default everything to read-only
+
+
+jobs:
+  audit:
+    name: "Release Asset Audit"
+    runs-on: ubuntu-22.04
+    if: github.repository == 'llvm/llvm-project'
+    steps:
+      - uses: actions/checkout at a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - name: "Run Audit Script"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          pip install --require-hashes -r ./llvm/utils/git/requirements.txt
+          python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN
+      - name: "File Issue"
+        if: failure()
+        uses: actions/github-script at 60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+        with:
+          github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
+          script: |
+            const issue = await github.rest.issues.create({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               title: "Release Asset Audit Failed",
+               body: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+               labels: ['infrastructure']
+            });
+            console.log(issue);

``````````

</details>


https://github.com/llvm/llvm-project/pull/92829
