[llvm] workflows: Add a job for auditing release assets (PR #92829)
via llvm-commits
llvm-commits at lists.llvm.org
Mon May 20 15:23:30 PDT 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-github-workflow
Author: Tom Stellard (tstellar)
<details>
<summary>Changes</summary>
This checks to ensure that uploads are only made by 'approved' uploaders, which is just everyone who has uploaded a release asset in the past.
We could do more, but this is just a simple implementation so we can put something in place and see how it works.
For more discussion see:
https://discourse.llvm.org/t/rfc-improve-binary-security/78121
---
Full diff: https://github.com/llvm/llvm-project/pull/92829.diff
2 Files Affected:
- (added) .github/workflows/release-asset-audit.py (+40)
- (added) .github/workflows/release-asset-audit.yml (+45)
``````````diff
diff --git a/.github/workflows/release-asset-audit.py b/.github/workflows/release-asset-audit.py
new file mode 100644
index 0000000000000..02ba426293af6
--- /dev/null
+++ b/.github/workflows/release-asset-audit.py
@@ -0,0 +1,40 @@
+import github
+import sys
+
+token = sys.argv[1]
+
+gh = github.Github(login_or_token=token)
+repo = gh.get_repo('llvm/llvm-project')
+
+uploaders = set([
+ 'DimitryAndric',
+ 'stefanp-ibm',
+ 'lei137',
+ 'omjavaid',
+ 'nicolerabjohn',
+ 'amy-kwan',
+ 'mandlebug',
+ 'zmodem',
+ 'androm3da',
+ 'tru',
+ 'rovka',
+ 'rorth',
+ 'quinnlp',
+ 'kamaub',
+ 'abrisco',
+ 'jakeegan',
+ 'maryammo',
+ 'tstellar',
+ 'github-actions[bot]'
+])
+
+for release in repo.get_releases():
+ print("Release:", release.title)
+ for asset in release.get_assets():
+ created_at = asset.created_at
+ updated_at = "" if asset.created_at == asset.updated_at else asset.updated_at
+ print(f'{asset.name} : {asset.uploader.login} [{created_at} {updated_at}] ( {asset.download_count} )')
+ if asset.uploader.login not in uploaders:
+ print("Invalid uploader")
+ sys.exit(1)
+
diff --git a/.github/workflows/release-asset-audit.yml b/.github/workflows/release-asset-audit.yml
new file mode 100644
index 0000000000000..9d140527218ff
--- /dev/null
+++ b/.github/workflows/release-asset-audit.yml
@@ -0,0 +1,45 @@
+name: Release Asset Audit
+
+on:
+ workflow_dispatch:
+ schedule:
+ # * is a special character in YAML so you have to quote this string
+ # Run once an hour
+ - cron: '5 * * * *'
+
+ pull_request:
+ paths:
+ - ".github/workflows/release-asset-audit.py"
+ - ".github/workflows/release-asset-audit.yml"
+
+permissions:
+ contents: read # Default everything to read-only
+
+
+jobs:
+ audit:
+ name: "Release Asset Audit"
+ runs-on: ubuntu-22.04
+ if: github.repository == 'llvm/llvm-project'
+ steps:
+ - uses: actions/checkout at a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+ - name: "Run Audit Script"
+ env:
+ GITHUB_TOKEN: ${{ github.token }}
+ run: |
+ pip install --require-hashes -r ./llvm/utils/git/requirements.txt
+ python3 ./.github/workflows/release-asset-audit.py $GITHUB_TOKEN
+ - name: "File Issue"
+ if: failure()
+ uses: actions/github-script at 60a0d83039c74a4aee543508d2ffcb1c3799cdea #v7.0.1
+ with:
+ github-token: ${{ secrets.ISSUE_SUBSCRIBER_TOKEN }}
+ script: |
+ const issue = await github.rest.issues.create({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ title: "Release Asset Audit Failed",
+ body: `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
+ labels: ['infrastructure']
+ });
+ console.log(issue);
``````````
</details>
https://github.com/llvm/llvm-project/pull/92829
More information about the llvm-commits
mailing list