Reputation: 131
Make sure some github action only run by the owner
I have an action job which upload the context to other website. The token was set and stored in the secret.MY_TOKEN.
But others who make the pull request also trigger this action job using the token I set.
How to limit the privilege of executing the jobs that only I can run this action job.
fyi my ci.yml as follow:
name: foobar
on: [push, pull_request]
jobs:
upload:
runs-on: ubuntu-latest
steps:
....
- name: execute upload
env:
TOKEN: ${{ secrets.MYTOKEN }}
run:
upl --token ${TOKEN}
I assume there are two security problems here.
- The token is printed in log file.
- others who can use this private token by trigger action with their own purpose.
Upvotes: 7
Views: 10174
Answers (4)
Reputation: 114651
When using on: pull_request, the workflow will not have any access to secrets.
There is a different trigger on: pull_request_target that will grant access to the secrets, but will use the workflow defined in the target branch.
See also:
- GitHub Actions and the threat of malicious pull requests
- What is the difference between pull_request and pull_request_target event in GitHubActions
Upvotes: 4
Reputation: 1324268
There is a new feature which could help, since July 2022:
Differentiating triggering actor from executing actor
Starting next week, workflow re-runs in GitHub Actions will use the initial run’s actor for privilege evaluation.
The actor who triggered the re-run will continue to be displayed in the UI, and can be accessed in a workflow via thetriggering_actorfield in the GitHub context.Currently, the privileges (e.g. – secrets, permissions) of a run are derived from the triggering actor.
This poses a challenge in situations where the actor triggering a re-run is different than the original executing actor.The upcoming change will differentiate the initial executing actor from the triggering actor, enabling the stable execution of re-runs.
For more details see Re-running workflows and jobs.
Upvotes: 1
Reputation: 1981
Use the github.repository_owner context
The syntax should be something like:
- if: github.repository_owner == 'owner_name'
Upvotes: 4
Reputation: 4412
I don't believe allowing actions to run only for certain users is a native feature.
However, you could simply check the action context actor and exit early if the actor is not the yourself (or the owner of the repo, or whatever condition you'd like).
Upvotes: 1
Related Questions
- How to prevent individuals or a team to edit GitHub actions based workflow of a particular repository?
- Only run GitHub Actions manually while blocking Pull Request
- Restrict Github collaborators to only modifying their own files on a repo?
- Conditionally execute github action based on secrets
- Using a secret, private action
- How to protect production credentials from Github Action?
- Mark GitHub Action as optional
- Run a GitHub Action only when someone opens a PR
- How to write a GitHub Action with a neutral Check Run status
- Only run GitHub actions if pr target is master