Skip to content

Create initial Github CI flow #775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
m0j0hn wants to merge 1 commit into
base: next
Choose a base branch
from
Open

Create initial Github CI flow #775

m0j0hn wants to merge 1 commit into from

Conversation

@m0j0hn
Copy link

@m0j0hn m0j0hn commented May 28, 2022

Summary: Initial Github CI flow

What changed: Add initial Github CI flow

How tested: Github CI

@m0j0hn
Copy link
Author

m0j0hn commented May 28, 2022

NOTE: WIP, needs some tidying up before merge - I welcome feedback about what we can trim out of this initial merge.
Note this is an initial version - it is incomplete, from a CI/CD perspective, but enables building branches on push and merge, and we can add release hooks as required.
Please take a look at the TODO tags in .github/workflows/main.yml for open issues

@m0j0hn m0j0hn force-pushed the FREENET-7179 branch 11 times, most recently from 3aeaee1 to 6bb18c7 Compare June 1, 2022 14:25
@m0j0hn
Add initial Github CI
88d35d7 
Add .github/workflows/main.yml;
update build.gradle to not fail build on Javadoc errors
See: https://freenet.mantishub.io/view.php?id=7179
@ArneBab
Copy link
Contributor

ArneBab commented Jun 4, 2022

This looks like a good start. Thank you!

It will need some additional tightening of security before we can merge it:

  • Without additional checking for user rights, there should be no automatic runs on PRs, because these allow everyone to run arbitrary code by simply filing a pull-request.
  • There should be no permissions granted to the CI run to avoid exposing the github token (no permissions: entry).

@m0j0hn
Copy link
Author

m0j0hn commented Jun 7, 2022

Thanks for the comments, let me look into this

@theoldbatosai
Copy link

theoldbatosai commented Sep 15, 2022

Digging this one up.

The first way to control arbitrary code execution is to set '.github/workflows' as only modifiable by code owners. If a PR comes up with a "customized" workflow, an approval will be required. That's only the first step, but this is pretty well documented:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

GitHub’s standard pull_request workflow trigger prevents write permissions and secrets access to the target repository by default.
And push is only triggered when we merge something.
You only get access to these if you already have write permissions on the repo.
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Do you want me to take a stab at this or is @m0j0hn still around?

@ArneBab
Copy link
Contributor

ArneBab commented Sep 15, 2022

If you could take a stab that would be great! Thank you!

@theoldbatosai
Copy link

theoldbatosai commented Sep 16, 2022

I can't figure out a way to take over this PR. I think I have to clone his repo and do my own PR. Or am I missing something?
Also, once I have something decent, I will need a core dev to set the restrictions on the .github directory.

@ArneBab
Copy link
Contributor

ArneBab commented Sep 16, 2022

@theoldbatosai you’ll need to clone this repo and then pull the branch m0j0hn:FREENET-7179, then you can work directly on the branch and file a new PR from your repo (just mention this PR in your PR so your PR will be found from here).

I’ll ping nextgens once you’re ready — he’s the one with the most experience on CI workflow security.

@Thynix
Copy link
Contributor

Thynix commented Nov 12, 2022

@ArneBab You mentioned in your mailing list post about 1495 that this blocks release. Is that because you want to build the release with GitHub CI instead of locally?

@ArneBab
Copy link
Contributor

ArneBab commented Nov 12, 2022
edited
Loading

@Thynix this blocks the release of Freenet 0.8, not of 1495. I’m sorry if that was unclear.

For the new point release we should have CI in place again so contributors can directly see whether all tests succeed.

See the blockers in https://github.com/freenet/wiki/wiki/Roadmap

@torusrxxx
Copy link
Contributor

torusrxxx commented Aug 30, 2025

Is this still needed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@m0j0hn @ArneBab @theoldbatosai @Thynix @torusrxxx