Conversation
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
|
But the github workflows don't pass, so something is not working here yet. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| steps: | ||
| - name: Check token permissions | ||
| run: | | ||
| if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then |
Check warning
Code scanning / CodeQL
Excessive Secrets Exposure Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
General fix:
Eliminate dynamic secret access and explicitly declare which secrets are used by the workflow. For per-user tokens, enumerate each possible user as a build matrix with a conditional per-user environment variable selection.
Detailed fix:
- Remove the use of
secrets[format('GHP_{0}', github.actor)]. - Instead, create a
matrixin the job that lists allowed users (actors) and assigns the exact secret name for each one. - Use a conditional for each possible actor to set the
API_TOKENenv variable specifically to the corresponding secret, for example:env: API_TOKEN: ${{ secrets.GHP_ACTOR1 }}
- Remove any unnecessary checking for whether the secret is present—GitHub will fail with a useful error if a required secret is missing.
- Update the
api_tokenvariable in the ansible invocation to use this new env declaration.
File/region to change:
.github/workflows/dryrun-manage-github-repositories.yml
- Replace the dynamic secret access in the relevant
envsections with explicit per-actor/secret mapping.
| @@ -15,16 +15,16 @@ | ||
| jobs: | ||
| manage-github-repositories: | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| include: | ||
| - actor: user1 | ||
| api_token: ${{ secrets.GHP_USER1 }} | ||
| - actor: user2 | ||
| api_token: ${{ secrets.GHP_USER2 }} | ||
| # Add additional users as needed | ||
| if: github.actor == matrix.actor | ||
| steps: | ||
| - name: Check token permissions | ||
| run: | | ||
| if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then | ||
| echo "No valid PAT found for ${{github.actor}}" | ||
| exit 1 | ||
| else | ||
| echo "Found valid PAT for ${{github.actor}}" | ||
| fi | ||
|
|
||
| - name: Checkout repo | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| @@ -50,4 +49,4 @@ | ||
| run: | | ||
| pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff | ||
| env: | ||
| API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }} | ||
| API_TOKEN: ${{ matrix.api_token }} |
| run: | | ||
| pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff | ||
| env: | ||
| API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }} |
Check warning
Code scanning / CodeQL
Excessive Secrets Exposure Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, we must avoid dynamically accessing secrets at runtime. Instead, explicitly define input variables or secrets for each possible value of ${{ github.actor }}. This ensures that only the secrets that are needed are passed to the workflow runner.
The best approach is to create a job matrix for each supported actor, and, for each one, pass the correct secret explicitly in the job's env section. For demonstration, if you have a limited set of possible actors (e.g., user1 and user2), you can write two jobs that are conditionally run only for the respective actor by using the if field, and reference the relevant secret explicitly with secrets.GHP_user1 and secrets.GHP_user2.
In practice:
- For each actor who should have a specific PAT, add a job or a step guarded by
if: github.actor == 'actorname'. - Set
API_TOKEN: ${{ secrets.GHP_actorname }}.
If there are many actors, you will need to enumerate each one explicitly. If that is not feasible, you should reconsider the workflow design, as dynamic secret access is fundamentally prohibited for security.
Required changes:
- Remove dynamic secret access in lines 21 and 53.
- Replace with explicit secret references for each allowed actor, using conditionals.
| @@ -16,15 +16,26 @@ | ||
| manage-github-repositories: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check token permissions | ||
| - name: Check token permissions for user1 | ||
| if: github.actor == 'user1' | ||
| run: | | ||
| if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then | ||
| echo "No valid PAT found for ${{github.actor}}" | ||
| if [ -z "${{ secrets.GHP_user1 }}" ]; then | ||
| echo "No valid PAT found for user1" | ||
| exit 1 | ||
| else | ||
| echo "Found valid PAT for ${{github.actor}}" | ||
| echo "Found valid PAT for user1" | ||
| fi | ||
|
|
||
| - name: Check token permissions for user2 | ||
| if: github.actor == 'user2' | ||
| run: | | ||
| if [ -z "${{ secrets.GHP_user2 }}" ]; then | ||
| echo "No valid PAT found for user2" | ||
| exit 1 | ||
| else | ||
| echo "Found valid PAT for user2" | ||
| fi | ||
|
|
||
| - name: Checkout repo | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| @@ -46,8 +52,16 @@ | ||
| run: | | ||
| ansible-galaxy collection install git+https://github.com/opentelekomcloud/ansible-collection-gitcontrol.git | ||
|
|
||
| - name: Test the management of github repositories with Ansible | ||
| - name: Test the management of github repositories with Ansible (user1) | ||
| if: github.actor == 'user1' | ||
| run: | | ||
| pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff | ||
| env: | ||
| API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }} | ||
| API_TOKEN: ${{ secrets.GHP_user1 }} | ||
|
|
||
| - name: Test the management of github repositories with Ansible (user2) | ||
| if: github.actor == 'user2' | ||
| run: | | ||
| pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff | ||
| env: | ||
| API_TOKEN: ${{ secrets.GHP_user2 }} |
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Kurt Garloff <kurt@garloff.de>
2 participants
No description provided.