4.7 KiB
GitHub Actions Workflows Security
This document describes the security measures implemented in ant-design's GitHub Actions workflows to protect against common attack vectors, particularly the "PWN Request" vulnerability.
Background: PWN Request Vulnerability
The "PWN Request" (or "Pull Request Target") vulnerability occurs when workflows:
- Use
pull_request_target,workflow_run, orissue_commenttriggers - Check out code from untrusted sources (fork PRs)
- Execute that code with elevated privileges or access to secrets
This can allow attackers to:
- Steal repository secrets
- Execute remote code in the CI/CD environment
- Modify repository contents
- Compromise the supply chain
Reference: See GitHub Security Lab - Preventing PWN Requests
Security Principles Applied
1. Safe Use of pull_request_target
All workflows using pull_request_target follow these rules:
- ✅ NEVER check out PR code (
actions/checkoutwith PR ref) - ✅ NEVER run
npm installor similar with PR code - ✅ Only interact with PR metadata (comments, labels, status)
- ✅ Use minimal permissions (explicitly defined per job)
Safe workflows:
preview-start.yml- Only comments on PRspr-open-notify.yml- Only sends notificationspr-open-check.yml- Only validates PR contentverify-files-modify.yml- Only checks file modifications via APIpr-check-merge.yml- Only comments on branch merge PRspr-contributor-welcome.yml- Only comments on merged PRsvisual-regression-diff-start.yml- Only comments on PRs
2. Separation of Build and Deploy
We use the "build in PR, deploy in workflow_run" pattern:
Build Phase (uses pull_request trigger):
preview-build.yml- Builds site from PR code with restricted permissionsvisual-regression-diff-build.yml- Generates screenshots from PR code- Uses
pull_requesttrigger (no secrets, read-only repository access) - Uploads build artifacts (no secrets included)
Deploy Phase (uses workflow_run trigger):
preview-deploy.yml- Downloads artifacts and deploysvisual-regression-diff-finish.yml- Downloads artifacts and posts results- Only downloads artifacts, never checks out untrusted code
- Has access to secrets for deployment
- Validates PR numbers before use
3. Authorization Checks
Workflows that can modify repository state require authorization:
- ✅
rebase.yml- Restricts/rebasecommand to MEMBER, COLLABORATOR, or OWNER - ✅
verify-files-modify.yml- Checks contributor authority for protected paths - ✅
pr-check-merge.yml- Only runs for ant-design organization PRs
4. Minimal Permissions
All workflows follow the principle of least privilege:
permissions:
contents: read # Default read-only access
jobs:
specific-job:
permissions:
# Only grant what's needed
issues: write
pull-requests: write
5. Pinned Action Versions
Critical actions are pinned to specific commit SHAs:
actions-cool/verify-files-modify@9f38a3b3d324d4d92c88c8a946001522e17ad554
This prevents supply chain attacks via compromised action updates.
6. Input Validation
All external inputs are validated:
- PR numbers are validated as numeric before use
- File paths are checked before operations
- User associations are verified before privileged operations
Workflow Security Checklist
When adding or modifying workflows, ensure:
- If using
pull_request_target, NEVER check out PR code - If using
pull_request_target, NEVER run untrusted code - If using
issue_commentwith code execution, checkauthor_association - If using
workflow_run, only download artifacts or check out base branch - Permissions are explicitly set to minimum required
- Secrets are only used in trusted contexts
- All user inputs are validated
- Third-party actions are from trusted sources
- Critical actions are pinned to commit SHAs
Incident Response
If a security vulnerability is discovered:
- Immediately disable the affected workflow
- Report to security team via SECURITY.md
- Do not disclose publicly until patched
- Review all recent workflow runs for signs of exploitation