Update action versions#6848
Conversation
jonmeow
force-pushed
the
action-test
branch
4 times, most recently
from
f853968 to
82f1e5e
Compare
github-actions
Bot
added
the
documentation
| *.blob.storage.azure.net:443 | ||
| *.githubapp.com:443 | ||
| *.sourceforge.net:443 | ||
| api.github.com:443 | ||
| api.ipify.org:443 | ||
| bcr.bazel.build:443 | ||
| downloads.sourceforge.net:443 | ||
| files.pythonhosted.org:443 | ||
| github.com:443 | ||
| go.dev:443 | ||
| mirror.bazel.build:443 | ||
| mirrors.kernel.org:443 | ||
| nodejs.org:443 | ||
| oauth2.googleapis.com:443 | ||
| objects.githubusercontent.com:443 | ||
| pypi.org:443 | ||
| registry.npmjs.org:443 | ||
| release-assets.githubusercontent.com:443 |
There was a problem hiding this comment.
That's a lot of new endpoints, with one being pretty much "the internet" when it's pointing at azure storage, I think. Could we at least say something about this in the PR description?
There was a problem hiding this comment.
Added notes and link (README.md already had relevant info)
There was a problem hiding this comment.
Alright, thanks. This doesn't seem like a particularly hardened configuration. I am not sure what exactly the threat model is, but this seems to open up a lot more access for the CI bots.
There was a problem hiding this comment.
It's a bit circular -- we'd been nudged to add some checks, so I did, but it's hard to actually restrict bazel given how it downloads.
There was a problem hiding this comment.
Other, non-bazel executions are stricter.
| *.blob.storage.azure.net:443 | ||
| *.githubapp.com:443 | ||
| *.sourceforge.net:443 | ||
| api.github.com:443 | ||
| api.ipify.org:443 | ||
| bcr.bazel.build:443 | ||
| downloads.sourceforge.net:443 | ||
| files.pythonhosted.org:443 | ||
| github.com:443 | ||
| go.dev:443 | ||
| mirror.bazel.build:443 | ||
| mirrors.kernel.org:443 | ||
| nodejs.org:443 | ||
| oauth2.googleapis.com:443 | ||
| objects.githubusercontent.com:443 | ||
| pypi.org:443 | ||
| registry.npmjs.org:443 | ||
| release-assets.githubusercontent.com:443 |
There was a problem hiding this comment.
Alright, thanks. This doesn't seem like a particularly hardened configuration. I am not sure what exactly the threat model is, but this seems to open up a lot more access for the CI bots.
Missed in #6848 (had it sitting in my workspace uncommitted, apparently have gotten too used to jj; using git here) Assisted-by: Google Antigravity with Gemini
| releases.bazel.build:443 | ||
| sourceforge.net:443 | ||
| storage.googleapis.com:443 | ||
| uploads.github.com:443 |
There was a problem hiding this comment.
Removing uploads.github.com looks to have broken the upload of our nightly releases: https://github.com/carbon-language/carbon-lang/actions/runs/22836672563
There was a problem hiding this comment.
Thanks! I responded to your thread on #infra.
2 participants
In addition to the general updates, this switches to a required python 3.10 for pre-commit (3.9 is losing support from black).
Note endpoints for build actions are expanding significantly: see https://app.stepsecurity.io/github/carbon-language/carbon-lang/actions/runs/22779388360?tab=recommendations&jobId=66080970460 for example, I think just the sources are being increased as a side-effect of updates (and possibly also things not performing as well as they should have before).
Similarly allowing sudo in pre-commit because it was actually causing errors in part of build setup, which used sudo to remove files.
Assisted-by: Google Antigravity with Gemini