All Github Actions immediately blocked, except GH-official and Ceph-hosted ones

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Cephers,

Due to the escalating situation in which leaked secrets from a previously
compromised GH Action (tj-actions) [1] are used to compromise more popular
GH Actions (reviewdog)[2], *we have decided to immediately disable all
Github Actions in all repositories, except the official GH ones, and the
ones under the Ceph organization*.

*From a preliminary analysis, none of our repos has been impacted*.
However, given that the Ceph org hosts more that 200 repositories
(including forks), it's safer to take a conservative approach while a
deeper analysis is undertaken (and the situation settles down).

We know that this might have an immediate impact on Ceph teams, as it will
break CI using unofficial Github Actions. The recommendation for *each team
is to review their Github workflows in their repos*
(.github/workflows/*.yaml) and ensure that:

   - *Version tag pinning is replaced with the corresponding SHA-1 hash*,
   even for GH official actions. Example
   <https://github.com/ceph/ceph/blob/8890c0f0df343897195ab97104be0a551d899361/.github/workflows/pr-triage.yml#L12>
   .
   - Once the previous requirement is met, *GH Actions from unofficial
   sources can be requested* (via mail to security@xxxxxxx) to be included
   in the allow-list.
      - Except for actions from the "reviewdog" org
      <https://github.com/reviewdog>: their team is still analyzing the
      scope of the attack. In this case, we shouldn't yet trust SHA-1 hashes
      obtained after the attack until the analysis concludes.
   - Alternatively, in the long run, we are considering to start forking
   3rd party GH Actions under the Ceph org, but carries extra overhead for the
   Ceph maintainers.

We apologize for the inconvenience, but we did this to reduce the exposure
of the Ceph community to a series of attacks that may continue to escalate.

Kind Regards,
Ernesto

[1]
https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
[2]
https://www.stepsecurity.io/blog/reviewdog-github-actions-are-compromised
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux