DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
...
In such a scenario, you must be careful to make sure all evaluation of untrusted code happens in the pull_request build, and no untrusted code is executed in the on_workflow part of the workflow.
When extracting and using the artifacts it is important to remember that they were produced in an untrusted context and their content is not to be trusted.
- Always extract into a directory separate from the trusted code in a step before checking out said trusted code. This stops files extracted from the archive from clobbering trusted code.
- A separate directory can also prevent files in the artifact impersonating often used python modules like
pipas runningpython -m pip ...would execute a pip.py file in the cwd - Validate any content you retrieve from an artifact before you use it to avoid command injection, especially in steps using
bashand Github Actions macros.- This includes using
caton such files as well as putting their content into environment variables (a popular exploit is to modifyLD_PRELOAD, some examples ), step outputs to use via${{ steps.id.outputs.sus_content }}to be used in e.g.ifin bash.
- This includes using
3rd-party actions
The Apache Infrastructure GitHub Actions Policy states actions outside of apache/*, github/* and actions/* must be pinned to the specific git hash (SHA1) of the action that has been reviewed for use by the project. For instance, you MUST pin foobar/baz-action@8843d7f92416211de9ebb963ff4ce28125932878.
...