[llvm] workflows/release-binaries: Remove .git directory from artifacts (PR #106310)
Tom Stellard via llvm-commits
llvm-commits at lists.llvm.org
Tue Aug 27 20:05:12 PDT 2024
https://github.com/tstellar updated https://github.com/llvm/llvm-project/pull/106310
>From 394676b8c7239aec55cd4bebe7a999ead6bb6299 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 16:27:18 -0700
Subject: [PATCH 1/3] workflows/release-binaries: Remove .git directory from
artifacts
The .git/config file contains a auth token that can be leaked if
the .git directory is included in a workflow artifact.
---
.github/workflows/release-binaries-save-stage/action.yml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index e2f3eeadd15bea..63d00255f6d8fb 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -18,6 +18,10 @@ runs:
- name: Package Build and Source Directories
shell: bash
run: |
+ # Remove git directory so we avoid leaking secrets stored in .git/config.
+ # See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
+ # This also helps reduce the size of the archive.
+ rm -Rf .git/
# Windows does not support symlinks, so we need to dereference them.
tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst
mv ../llvm-project.tar.zst .
>From d7ce523b2118598f6bafc93fcee5dd884efb6761 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 16:50:17 -0700
Subject: [PATCH 2/3] Add permissions too
---
.github/workflows/release-binaries-save-stage/action.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index 63d00255f6d8fb..4b4be54d6a0612 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -10,6 +10,9 @@ inputs:
required: true
type: 'string'
+permissions:
+ contents: read
+
runs:
using: "composite"
steps:
>From e6a41bc9b698c5b3266c486daa2a792968d28af2 Mon Sep 17 00:00:00 2001
From: Tom Stellard <tstellar at redhat.com>
Date: Tue, 27 Aug 2024 20:04:21 -0700
Subject: [PATCH 3/3] Only delete .git/config
Deleting the whole .git directory breaks the VersionFromVCS computation
for stage2 and stage3.
---
.github/workflows/release-binaries-save-stage/action.yml | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/release-binaries-save-stage/action.yml b/.github/workflows/release-binaries-save-stage/action.yml
index 4b4be54d6a0612..f08088c7bc56f1 100644
--- a/.github/workflows/release-binaries-save-stage/action.yml
+++ b/.github/workflows/release-binaries-save-stage/action.yml
@@ -21,10 +21,9 @@ runs:
- name: Package Build and Source Directories
shell: bash
run: |
- # Remove git directory so we avoid leaking secrets stored in .git/config.
+ # Remove .git/config to avoid leaking GITHUB_TOKEN stored there.
# See https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/
- # This also helps reduce the size of the archive.
- rm -Rf .git/
+ rm -Rf .git/config
# Windows does not support symlinks, so we need to dereference them.
tar --exclude build/ ${{ (runner.os == 'Windows' && '-h') || '' }} -c . | zstd -T0 -c > ../llvm-project.tar.zst
mv ../llvm-project.tar.zst .
More information about the llvm-commits
mailing list