[B! Actions][security] efclã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

efcl id:efcl

Actionsã¨securityã«é–¢ã™ã‚‹efclã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (16)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

The end of GitHub PATs: You canâ€™t leak what you donâ€™t have
efcl 2024/05/03
id_tokenã§GitHubã®Tokenã‚’ã„ã„æ„Ÿã˜ã«æ‰±ãˆã‚‹ã‚ˆã†ã«ã™ã‚‹GitHub Appsã®ä»•çµ„ã¿ã«ã¤ã„ã¦ã€‚ æ¨©é™ã”ã¨ã«GitHub Appsã‚’ä½œã‚‰ãªãã¦ã‚‚è‰¯ããªã‚‹ä»•çµ„ã¿ã€‚

Github

security

Actions

article
ãƒªãƒ³ã‚¯
GitHub - octo-sts/app: A GitHub App that acts like a Security Token Service (STS) for the Github API
efcl 2024/05/03
OIDCã‚’ä½¿ã£ã¦Security Token Service (STS)ã‚’æ‰±ã†GitHub Appsã€‚ GitHub Actionsã‹ã‚‰ç‰¹å®šã®ãƒ‘ãƒ¼ãƒŸãƒƒã‚·ãƒ§ãƒ³ã‚’æŒã¤å¯¿å‘½ã®çŸã„tokenã‚’Token Federationã§å–å¾—ã§ãã‚‹ã€‚ æ¨©é™ã”ã¨ã®GitHub Appsã‚„PATã‚’ä½œã‚‰ãªã„ã§ã€ãã‚Œã‚’ãƒãƒªã‚·ãƒ¼ãƒ•ã‚¡ã‚¤ãƒ«ã§ç®¡ç†ã§ãã‚‹

Github

Actions

security

Tools
ãƒªãƒ³ã‚¯
pull_request_target ã§ GitHub Actions ã®æ”¹ç«„ã‚’é˜²ã
æœ¬è¨˜äº‹ã§ã¯ GitHub Actions ã§ pull_request event ã®ä»£ã‚ã‚Šã« pull_request_target ã‚’ç”¨ã„ã€ workflow ã®æ”¹ç«„ã‚’é˜²ã„ã§ã‚ˆã‚Šå®‰å…¨ã« CI ã‚’å®Ÿè¡Œã™ã‚‹æ–¹æ³•ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚ ã¾ãšã¯å‰ç½®ãã¨ã—ã¦èƒŒæ™¯ã‚„è§£æ±ºã—ãŸã„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£çš„ãªèª²é¡Œã«ã¤ã„ã¦èª¬æ˜Žã—ãŸå¾Œã€ pull_request_target ã‚’ç”¨ã„ãŸå®‰å…¨ãª CI ã®å®Ÿè¡Œã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚ æœ¬è¨˜äº‹ã§ã¯ OSS é–‹ç™ºã¨ã¯é•ã„æ¥å‹™ã§ private repository ã‚’ç”¨ã„ã¦è¤‡æ•°äººã§é–‹ç™ºã‚’è¡Œã†ã“ã¨ã‚’å‰æã«ã—ã¾ã™ã€‚ é•·ã„ã®ã§è¦ç´„ GitHub Actions ã§ Workflow ã®æ”¹ç«„ã‚’é˜²ãŽãŸã„ GitHub ã® branch protection rule ã‚„ codeowner, OIDC ã ã‘ã§ã¯ä¸ååˆ†ãªã‚±ãƒ¼ã‚¹ã‚‚ã‚ã‚‹ pull_request event ã®ä»£ã‚ã‚Šã« pull_r
efcl 2023/10/22
"pull_request_target ã§ã¯ pull request ã® base branch ã®æœ€æ–°ã‚³ãƒŸãƒƒãƒˆã§ workflow ãŒå®Ÿè¡Œã•ã‚Œã‚‹"

Github

Actions

security
ãƒªãƒ³ã‚¯
GitHub Actions could be so much better
ENOSUCHBLOG Programming, philosophy, pedaling. Home Tags Series Favorites Archive Main Site TILs GitHub Actions could be so much better Sep 22, 2023 Tags: programming, rant, security, workflow I love GitHub Actions: Iâ€™ve been a daily user of it since 2019 for both professional and hobbyist projects, and have found it invaluable to both my overall productivity and peace of mind. Iâ€™m just old enough
efcl 2023/09/30
GitHub Actionsã§ã®è„†å¼±ãªä»•çµ„ã¿ã«ã¤ã„ã¦ã€‚

Github

Actions

security
ãƒªãƒ³ã‚¯
GitHub - GitHubSecurityLab/actions-permissions: GitHub token permissions Monitor and Advisor actions
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
efcl 2023/06/27
GitHub Actionså®Ÿè¡Œæ™‚ã«ãƒãƒ¼ã‚«ãƒ«ãƒ—ãƒã‚ã‚·ã‚’è¨å®šã—ã¦ã€ã©ã®APIãŒå®Ÿè¡Œã•ã‚Œã¦ã‚‹ã‹ã‚’åŽé›†ã—ã¦Actionã«å¿…è¦ãªæœ€å°æ¨©é™ã®`permissions`ã‚’ã¾ã¨ã‚ã¦ãã‚Œã‚‹ãƒ„ãƒ¼ãƒ«

Github

Actions

security

Tools
ãƒªãƒ³ã‚¯
ç¤¾å†…ç”¨GitHub Actionsã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã‚’å…¬é–‹ã—ã¾ã™ | ãƒ¡ãƒ«ã‚«ãƒªã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°
ã“ã®è¨˜äº‹ã¯ã€Merpay Tech Openness Month 2023 ã®4æ—¥ç›®ã®è¨˜äº‹ã§ã™ã€‚ ã“ã‚“ã«ã¡ã¯ã€‚ãƒ¡ãƒ«ã‚³ã‚¤ãƒ³ã®ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®@goroã§ã™ã€‚ ã¯ã˜ã‚ã« ã“ã®GitHub Actionsã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¯ã€ç¤¾å†…ã§Github Actionsã®åˆ©ç”¨ã«å…ˆé§†ã‘ã€ç¤¾å†…æœ‰å¿—ã«ã‚ˆã£ã¦æ¤œè¨Žã•ã‚Œã¾ã—ãŸã€‚ã€ŒGitHub Actionsã‚’ä½¿ã†ã«ã‚ãŸã‚Šã©ã†ã„ã£ãŸç‚¹ã«ç•™æ„ã™ã‚Œã°æœ€ä½Žé™ã®å®‰å…¨æ€§ã‚’ç¢ºä¿ã§ãã‚‹ã‹å¦ç¿’ã—ã¦ã‚‚ã‚‰ã„ãŸã„ã€ã€Œå®šæœŸçš„ã«æœ¬ãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆã‚’è¦‹è¿”ã—ã¦ã‚‚ã‚‰ã„è‡ªåˆ†ãŸã¡ã®ãƒªãƒã‚¸ãƒˆãƒªãƒ¼ãŒå®‰å…¨ãªçŠ¶æ…‹ã«ãªã£ã¦ã„ã‚‹ã‹ç‚¹æ¤œã™ã‚‹éš›ã«å½¹ç«‹ã¦ã¦ã‚‚ã‚‰ã„ãŸã„ã€ã¨ã„ã†æ€ã„ã«åŸºã¥ã„ã¦ä½œæˆã•ã‚Œã¦ã„ã¾ã™ã€‚ ä»Šå›žã¯ãã‚“ãªã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã®ä¸€éƒ¨ã‚’ã€ç¤¾å¤–ã®æ–¹ã€…ã«ã‚‚å½¹ç«‹ã¤ã¨æ€ã„å…¬é–‹ã™ã‚‹ã“ã¨ã«ã—ã¾ã—ãŸã€‚ ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã«ãŠã‘ã‚‹ç›®æ¨™ ã“ã®ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã¯äº‹å‰ã«2æ®µéšŽã®ç›®æ¨™ã‚’è¨å®šã—ã¦ä½œæˆã•ã‚Œã¦ã„ã¾ã™ã€‚ã¾ãšç¬¬1ã«ã€Œå¸¸ã«é”æˆã—ãŸã„ã“ã¨
efcl 2023/06/10
GitHub Actionsã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¬ã‚¤ãƒ‰

Github

Actions

security
ãƒªãƒ³ã‚¯
GitHub - step-security/secure-repo: Orchestrate GitHub Actions Security
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
efcl 2022/07/11
GitHub Actionã®versionã®pinã€permissionã®ä»˜ä¸Žã¨ã‹ãŒã§ãã‚‹ã‚µãƒ¼ãƒ“ã‚¹

Github

Actions

security
ãƒªãƒ³ã‚¯
å…±åŒé–‹ç™ºã‚’å§‹ã‚ã‚‹ã¨ãã«ä¾¿åˆ©ãª 5 ã¤ã® GitHub Actions
ã¯ã˜ã‚ã« ã‚¹ã‚¿ãƒ¼ãƒˆã‚¢ãƒƒãƒ—ç‰ã«ãŠã„ã¦æ–°ã—ã„ãƒ—ãƒãƒ€ã‚¯ãƒˆã‚’å§‹ã‚ã‚‹æ™‚ã¯ã€è² å‚µãŒç„¡ã„ä»£ã‚ã‚Šã«ä½•ã‚‚ã‚ã‚Šã¾ã›ã‚“ã€‚ ãã†ã„ã£ãŸæ™‚ã«ã€ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã®å“è³ªã‚’æ‹…ä¿ã™ã‚‹ãŸã‚ã® CI ã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—ãŒã€åˆæœŸã‹ã‚‰é‡è¦ã«ãªã£ã¦ãã¾ã™ã€‚ GitHub ã‚’ä½¿ç”¨ã—ã¦ã„ã‚‹å ´åˆã¯ã€GitHub Actions ã‚’ä½¿ç”¨ã•ã‚Œã‚‹ã“ã¨ãŒæ®†ã©ã ã¨æ€ã†ã®ã§ã€ãã¡ã‚‰ã‚’å‰æã«é€²ã‚ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚ 1. rhysd/actionlint æ§˜ã€…ãªã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãŒ action ã‚’è¿½åŠ ã—ãŸã‚Šã€ç·¨é›†ã—ãŸã‚Šã™ã‚‹ã‚ˆã†ã«ãªã£ãŸæ™‚ã€å…¨å“¡ãŒæ£ã—ã„æ›¸ãæ–¹ã§æ›¸ã„ã¦ã„ãã“ã¨ã¯é›£ã—ã„ã§ã™ã€‚ ã¾ãŸã€ãã‚Œã‚’ 1 äººã® GitHub Actions Expert ãŒãƒ¬ãƒ“ãƒ¥ãƒ¼ã—ã¦ã„ãã®ã¯å¤§å¤‰ã§ã€å±žäººåŒ–ã—ã¦ã—ã¾ã£ã¦ã„ã‚‹ã®ã§ã€é¿ã‘ã‚‹æ–¹ãŒæœ›ã¾ã—ã„ã§ã™ã€‚ ä»¥ä¸‹ã‚’ã‚³ãƒ”ãƒšã™ã‚Œã°ã€ä½¿ç”¨ã§ãã¾ã™ã€‚ name: Actionlint on: push: branches: [ main ] p
efcl 2022/04/18
GitHub Actionså‘¨ã‚Šã®è¨å®š

Github

Actions

security

secretlint
ãƒªãƒ³ã‚¯
advisories/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md at master Â· justinsteven/advisories
The check-spelling GitHub Actions community workflow is a spell checker for GitHub commits. When the workflow is enabled on a given repository, it is activated whenever a Pull Request is made to that repo. The workflow checks the spelling according to a configuration defined by the repo, and submits a Pull Request comment showing the details of any spelling errors. For a repo configured to use the
efcl 2021/09/09
GitHub Actionsã§`pull_request_target`ã‚’åˆ©ç”¨ã—ã¦ã„ã‚‹ã¨ãã«ã€ãƒªãƒã‚¸ãƒˆãƒªå†…ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’èªã¿è¾¼ã‚“ã§å‡ºåŠ›ã™ã‚‹ã¨symlinkã§envã‚’å‡ºåŠ›ã•ã›ã‚‹ã“ã¨ã§GITHUB_TOKENãŒãƒªãƒ¼ã‚¯ã•ã›ã‚‰ã‚Œã‚‹å•é¡Œã«ã¤ã„ã¦

Github

Actions

security
ãƒªãƒ³ã‚¯
GitHub Actionsã®`permissions`ã‚’è‡ªå‹•ã§è¨å®šã™ã‚‹ãƒ„ãƒ¼ãƒ«ã‚’æ›¸ã„ãŸ
GitHub Actionsã«ã¯permissionsã¨ã„ã†ãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãŒã‚ã‚Šã€ãã‚Œãžã‚Œã®Workflow/Jobã§ã®secrets.GITHUB_TOKENã®æ¨©é™ã‚’è¨å®šã§ãã‚‹ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚ secrets.GITHUB_TOKENã¯GitHub Actionsã®å®Ÿè¡Œã”ã¨ã«ç™ºè¡Œã•ã‚Œã‚‹GitHubã®Tokenã§ã€å¤šãã®GitHub Actionsã¯ã“ã®ãƒˆãƒ¼ã‚¯ãƒ³ã‚’ä½¿ã£ã¦ãƒªãƒã‚¸ãƒˆãƒªã‚’git cloneã—ãŸã‚Šã€Issueã«ã‚³ãƒ¡ãƒ³ãƒˆã‚’æ›¸ã„ãŸã‚Šã—ã¦ã„ã¾ã™ã€‚ GitHub Actions: Control permissions for GITHUB_TOKEN | GitHub Changelog Workflow syntax for GitHub Actions - GitHub Docs ã“ã®permissionsã‚’ã¡ã‚ƒã‚“ã¨è¨å®šã™ã‚‹ã“ã¨ã§ã‚µãƒ—ãƒ©ã‚¤ãƒã‚§ãƒ¼ãƒ³æ”»æ’ƒãªã©ã®å½±éŸ¿ã‚’è»½æ¸›ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™
efcl 2021/07/21
GitHub Actionsã®`permissions`ã®è§£èª¬ã¨ä½¿ã£ã¦ã‚‹Actionã®`permissions`ã‚’è¨å®šã™ã‚‹ãƒ„ãƒ¼ãƒ«ã«ã¤ã„ã¦

Github

Actions

security

Tools
ãƒªãƒ³ã‚¯
Redirectingâ€¦
Redirectingâ€¦ Click here if you are not redirected.
efcl 2021/01/29
GitHub Actionsã§ `${{ github.event.* }}` ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼å…¥åŠ›ã‚’ãã®ã¾ã¾`run:`ã«åŸ‹ã‚è¾¼ã‚€ã¨ã‚’ã‚·ã‚§ãƒ«ã‚¹ã‚¯ãƒªãƒ—ãƒˆã¨ã—ã¦è©•ä¾¡ã—ã¦ã—ã¾ã†å•é¡Œã«ã¤ã„ã¦ã€‚ åŸºæœ¬çš„ã«ã¯ `env:` çµŒç”±ã§æ¸¡ã™ã“ã¨ã§ã€ä»»æ„ã®ã‚³ãƒ¼ãƒ‰å®Ÿè¡Œã¯ã§ããªã„ã‚ˆã†ã«ã™ã‚‹

Github

Actions

security
ãƒªãƒ³ã‚¯
VSCodeã®GitHubãƒªãƒã‚¸ãƒˆãƒªã«å¯¾ã™ã‚‹ä¸æ£ãªPushã‚¢ã‚¯ã‚»ã‚¹
ã¯ã˜ã‚ã«Microsoftã¯è„†å¼±æ€§ã®è¨ºæ–è¡Œç‚ºã‚’ã‚»ãƒ¼ãƒ•ãƒãƒ¼ãƒãƒ¼ã«ã‚ˆã‚Šè¨±å¯ã—ã¦ã„ã¾ã™ã€‚ æœ¬è¨˜äº‹ã¯ã€ãã®ã‚»ãƒ¼ãƒ•ãƒãƒ¼ãƒãƒ¼ã‚’éµå®ˆã—ãŸä¸Šã§ç™ºè¦‹/å ±å‘Šã—ãŸè„†å¼±æ€§ã‚’è§£èª¬ã—ãŸã‚‚ã®ã§ã‚ã‚Šã€ç„¡è¨±å¯ã®è„†å¼±æ€§è¨ºæ–è¡Œç‚ºã‚’æŽ¨å¥¨ã™ã‚‹äº‹ã‚’æ„å›³ã—ãŸã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“ã€‚ MicrosoftãŒé‹å–¶/æä¾›ã™ã‚‹ã‚µãƒ¼ãƒ“ã‚¹ã«è„†å¼±æ€§ã‚’ç™ºè¦‹ã—ãŸå ´åˆã¯ã€Microsoft Bug Bounty Programã¸å ±å‘Šã—ã¦ãã ã•ã„ã€‚ è¦ç´„VSCodeã®Issueç®¡ç†æ©Ÿèƒ½ã«è„†å¼±æ€§ãŒå˜åœ¨ã—ã€ä¸é©åˆ‡ãªæ£è¦è¡¨ç¾ã€èªè¨¼ã®æ¬ å¦‚ã€ã‚³ãƒžãƒ³ãƒ‰ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã‚’çµ„ã¿åˆã‚ã›ã‚‹ã“ã¨ã«ã‚ˆã‚ŠVSCodeã®GitHubãƒªãƒã‚¸ãƒˆãƒªã«å¯¾ã™ã‚‹ä¸æ£ãªæ›¸ãè¾¼ã¿ãŒå¯èƒ½ã ã£ãŸã€‚ ç™ºè¦‹ã®ãã£ã‹ã‘é›»è»Šã«ä¹—ã£ã¦ã„ã‚‹éš›ã«ãµã¨æ€ã„ç«‹ã£ã¦microsoft/vscodeã‚’çœºã‚ã¦ã„ãŸæ‰€ã€CIç”¨ã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒåˆ¥ã®ãƒªãƒã‚¸ãƒˆãƒª(microsoft/vscode-github-triage-actions)ã«ã¾
efcl 2021/01/14
GitHub Actions/CIä¸Šã§ã®ã‚³ãƒžãƒ³ãƒ‰ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã§GITHUB_TOKENã‚’å–å¾—ã§ããŸè©±

Github

Actions

security
ãƒªãƒ³ã‚¯
Redirectingâ€¦
Redirectingâ€¦ Click here if you are not redirected.
efcl 2020/12/19
`pull_request_target`ã‚’ä½¿ã†ã¨æ‚ªç”¨ã•ã‚Œã‚‹ã‚±ãƒ¼ã‚¹ãŒã‚ã‚‹ã“ã¨ã«ã¤ã„ã¦

Github

Actions

security
ãƒªãƒ³ã‚¯
GitHub Actions ã® self-hosted runner ã¨ Amazon EKS ã‚’ä½¿ã£ãŸ Docker ã® Build Pipeline/Build Pipeline for Docker with GitHub Actions self-hosted runner and Amazon EKS
Kubernetes Meetup Tokyo #32 on 7/28 ç™ºè¡¨è³‡æ–™
efcl 2020/11/21
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®ãŸã‚ã«self-hosted runnerã‚’ä½¿ã£ã¦ã„ã‚‹ä¾‹

Github

Actions

slide

security
ãƒªãƒ³ã‚¯
How to safely use GitHub Actions in organizations - Human Who Codes
GitHub Actions1 are programs designed to run inside of workflows2, triggered by specific events inside a GitHub repository. To date, people use GitHub Actions to do things like run continuous integration (CI) tests, publish releases, respond to issues, and more. Because the workflows are executed inside a fresh virtual machine that is deleted after the workflow completes, there isnâ€™t much risk of
efcl 2020/07/22
GitHub Actionsã®secretsç®¡ç†ã«ã¤ã„ã¦ã€‚

Github

Actions

security
ãƒªãƒ³ã‚¯
Use GitHub actions at your own risk
It all started with a tweet that I made mid december: Am I the only one scared about sharing my access tokens to random @github actions found on the marketplace ? What if one day those random-action@master stored my tokens ? Wouldn't it be as easy as taking control as maintainer of an old action that everybody uses ? â€” Julien Renaux (@julienrenaux) December 12, 2019 I had a hunch that using Github
efcl 2019/12/23
GitHub Actionsã®hashä»¥å¤–ã®æŒ‡å®šã¯ã„ã¤ã§ã‚‚å¤‰æ›´ãŒå¯èƒ½ã§ã‚ã‚‹ã“ã¨ã«ã¤ã„ã¦

Github

Actions

security
ãƒªãƒ³ã‚¯
1