Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Forked PRs by Default in Open-Source Screwdriver #3245

Closed
VonnyJap opened this issue Nov 22, 2024 · 8 comments
Closed

Restrict Forked PRs by Default in Open-Source Screwdriver #3245

VonnyJap opened this issue Nov 22, 2024 · 8 comments

Comments

@VonnyJap
Copy link
Member

What happened:

We recently learned that there was an attempt from Security researcher to exploit secrets that are stored in Screwdriver pipeline by issuing a PR as described here.

What you expected to happen:

We are proactively updating the default settings in the open-source Screwdriver to restrict forked PRs from running on trigger, preventing such attempts in the future.

How to reproduce it:

Please refer to the PR link above.
@VonnyJap
Copy link
Member Author

@kumada626 - we are aware that PRs coming from your group normally are created through fork. And we would like to add all of your team members to be the admins of the open source instance. So this should allow all of your members to be able to run PR jobs manually. What do you think? Here is the list of your team members that we are aware, please confirm the active members and let us know if we need to add any others.

@kumada626
Copy link
Contributor

@VonnyJap I have no concerns about adding our team members to admin as long as there are no problems on your side.
Please add below members to that team.

Closed
@VonnyJap
Copy link
Member Author

@kumada626 - I have added yourself and below members as admins

@yk634
@y-oksaku
@yakanechi
@foxtrot0304

And I have also turned the default restrict PR run on the Screwdriver instances.

@kumada626
Copy link
Contributor

@VonnyJap Thank you for adding members to the admins of the open source instance.
I apologize for the oversight. It would be helpful if you could also include the members who belong to the LY team along with those listed in the comments. Additionally, adding the members listed in the comments to the team would make it easier to manage.

@foxtrot0304
Copy link

@VonnyJap
Thank you for adding me as an admin. However, I’m having trouble logging into the web UI at cd.screwdriver.cd with my github account. I’m wondering if the admin addition and the login permissions might be separate. Currently, I can only access it as a guest.
Could you please update the settings to ensure I have the necessary login access, if possible? Thank you!

@VonnyJap
Copy link
Member Author

VonnyJap commented Nov 28, 2024
edited
Loading

@foxtrot0304 - can you now attempt to access cd.screwdriver.cd with your Github account? I have just provisioned the access.

I’m wondering if the admin addition and the login permissions might be separate.

Yes, they are separate permissions.

@VonnyJap
Copy link
Member Author

@kumada626 - I will add members who belong to the LY team as admins as well. Can you please confirm that all of them are still the active members and maintainers of Screwdriver? Thanks.

@foxtrot0304
Copy link

@VonnyJap
Thank you for adding me. I've confirmed that I can log in now. I appreciate it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@foxtrot0304 @VonnyJap @kumada626