Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor GHA pipelines for improved security #467

Open
1 of 4 tasks
jorisroovers opened this issue Mar 10, 2023 · 4 comments
Open
1 of 4 tasks

Refactor GHA pipelines for improved security #467

jorisroovers opened this issue Mar 10, 2023 · 4 comments
Assignees
@jorisroovers
Labels
development Issues that are not user-facing but related to gitlint development
Milestone
0.20.0

Comments

@jorisroovers
Copy link
Owner

jorisroovers commented Mar 10, 2023
edited

To consider as part of this:

Suggested by @webknjaz here:
https://github.com/jorisroovers/gitlint/pull/418/files#r1131056985
@jorisroovers jorisroovers added the development Issues that are not user-facing but related to gitlint development label Mar 10, 2023
@jorisroovers jorisroovers self-assigned this Mar 10, 2023
@jorisroovers jorisroovers added this to the 0.20.0 milestone Mar 10, 2023
@webknjaz
Copy link
Contributor 

* [ ]  Consider adding branch protection rules

I was referring to the environment protections, not branch protection.

* [ ]  Reconsider how dev builds are triggered from CI, splitting the it out in a separate pipeline instead of calling the workflow directly from `ci.yml`

I don't see a problem with this for as long as the job has a separate environment set.

@webknjaz
Copy link
Contributor

[ ] Ensure publishing secrets aren't available to CI jobs

Hey @jorisroovers, I'd like to invite you to join the private beta of secretless publishing from GHA to PyPI. Please, fill out this form https://forms.gle/XUsRT8KTKy66TuUp7 to get in.

@jorisroovers jorisroovers mentioned this issue Apr 11, 2023
Closed
@jorisroovers
Copy link
Owner Author

Note-to-self: This section in the OIDC docs has good suggestions on github action hardening:
https://github.com/pypi/warehouse/blob/ab05dd4c137eb57ff55794a659062f02b4c326bc/docs/user/trusted-publishers/security-model.md#considerations

@jorisroovers jorisroovers mentioned this issue Apr 11, 2023
Merged
jorisroovers added a commit that referenced this issue Apr 11, 2023
@jorisroovers
GHA: Use PyPI OIDC for publishing
6f83c6b 
Replace token based authentication with OIDC for PyPI package
publishing.

Relates to #467
jorisroovers added a commit that referenced this issue Apr 11, 2023
@jorisroovers
GHA: Use PyPI OIDC for publishing (#486)
562703f 
Replace token based authentication with OIDC for PyPI package
publishing.

Relates to #467
jorisroovers added a commit that referenced this issue Apr 12, 2023
@jorisroovers
GHA: Use GHA environments to select PyPI target
5c5febd 
Replace if statements with ${{ vars.PYPI_TARGET }}, defined in
GHA environments, to select the target PyPI repository when publishing
packages.

Relates to #467
@jorisroovers jorisroovers mentioned this issue Apr 12, 2023
Merged
jorisroovers added a commit that referenced this issue Apr 13, 2023
@jorisroovers
GHA: Use GHA environments to select PyPI target (#487)
8a38a58 
Replace if statements with ${{ vars.PYPI_TARGET }}, defined in
GHA environments, to select the target PyPI repository when publishing
packages.

Relates to #467
Implements #466
jorisroovers added a commit that referenced this issue Jul 12, 2023
@jorisroovers
README Update
d2a516b 
This is a commit to try out bypassing branch protection rules.

Relates to #467
jorisroovers added a commit that referenced this issue Jul 12, 2023
@jorisroovers
README Update
53887bc 
This is a commit to try out bypassing branch protection rules.

Relates to #467
@jorisroovers
Copy link
Owner Author

Just configured a few things:

  • Tag protection Rule: on all tags (*). This effectively makes me the only one who can add or delete tags.
  • Branch Protections on main:
    • Require a pull request before merging:
      • Require approvals: pull requests targeting main require 1 or more approvals and no changes requested before they can be merged.
      • Require approval of the most recent reviewable push: Whether the most recent reviewable push must be approved by someone other than the person who pushed it.
    • Require status checks to pass before merging: Certain status checks must pass before branches can be merged into main. I’ve added the Python 3.11 tests, sdist-build-smoke-test, build-test and doc-checks.
    • Require linear history: Prevent merge commits from being pushed to matching branches.
    • Allow force pushes:
  • Environment Protection Rule:
    • Deployment branches: Only main can deploy to the production environment (i.e. PyPI).

Notes

  • As a repo admin I can override these rules. For example, I can still do direct (force) push to main. I don’t do this often, but it happens. I’ve just tried this in 53887bc.
  • In general I’ve tried to strike a balance between increased security and usability. My main intent here is to (1) avoid accidental merges to main (2) avoid accidental releases. At the same time, I don’t want to create extra friction on a day-to-day basis so I might loosen things again if they turn out to be too cumbersome.

Next up are job permissions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jorisroovers jorisroovers

Labels
development Issues that are not user-facing but related to gitlint development
Projects
gitlint
Status: In Progress
Milestone
0.20.0
Development

No branches or pull requests
2 participants
@jorisroovers @webknjaz