qiurui
/
armbian-build
mirror of https://github.com/armbian/build.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Change to different method of getting changed files 

Addressing security issue: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
This commit is contained in:
Igor Pecovnik 2025-03-15 12:40:11 +01:00 committed by Igor
parent 0ccbe8bcc7
commit d4022fbbbb
2 changed files with 58 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.github/workflows/pr-kernel-security-analysis.yml vendored
View File

@ -1,11 +1,27 @@
name: Kernel Hardening Analysis name: Kernel Hardening Analysis
run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")' run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")'
# -----------------------------------------------------------------------------
# This workflow analyzes Linux kernel configuration files to check for
# security hardening options using the kernel-hardening-checker tool.
# #
# Check the Linux kernel options against security hardening # ⚠️ Important:
# Modifying security parameters may impact system performance and
# functionality of userspace software.
# #
# Attention! Changing security parameters may also affect system performance and functionality of userspace software! # More info:
# More info: # https://github.com/a13xp0p0v/kernel-hardening-checker
# https://github.com/a13xp0p0v/kernel-hardening-checker #
# Triggers:
# - Manually via workflow_dispatch
# - On pull request events: ready_for_review, opened, reopened, or synchronized
#
# Features:
# - Runs only for PRs targeting the 'Armbian' repository
# - Validates kernel `.config` files for security best practices
# - Skips RISC-V configurations due to known compatibility issues
# - Provides a formatted security report in GitHub Actions summary
# -----------------------------------------------------------------------------
on: on:
workflow_dispatch: workflow_dispatch:
@ -17,7 +33,7 @@ permissions:
contents: read contents: read
concurrency: concurrency:
group: pipeline-security-${{github.event.pull_request.number}} group: pipeline-security-${{ github.event.pull_request.number }}
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
@ -33,22 +49,23 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Get changed files - name: Get changed files
id: changed-files id: files
uses: tj-actions/changed-files@v45 uses: UplandJacob/retrieve-changed-files@v4
- name: Checkout repository - name: Checkout kernel-hardening-checker
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
repository: a13xp0p0v/kconfig-hardened-check repository: a13xp0p0v/kconfig-hardened-check
path: kconfig-hardened-check path: kconfig-hardened-check
- name: Check kernel config for security issues - name: Run kernel security analysis
# Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet.
# See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
# sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output
run: | run: |
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do for file in ${{ steps.files.outputs.all }}; do
# Process only kernel configuration files and skip RISC-V configs
if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then
kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY # Run security checks and format output for GitHub Actions summary
kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file \
| sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' \
>> $GITHUB_STEP_SUMMARY
fi fi
done done

45
.github/workflows/pr-lint-scripts.yml vendored
View File

@ -1,8 +1,21 @@
name: Lint on Scripts name: Lint on Scripts
run-name: 'Shellcheck - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")' run-name: 'ShellCheck - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")'
# -----------------------------------------------------------------------------
# This workflow runs ShellCheck on all relevant shell scripts in the repository
# to ensure code quality, best practices, and prevent common scripting errors.
# It generates a linting report and provides feedback for pull requests.
# #
# Run ShellCheck on all scripts and generate report as build artifact # Triggers:
# - Manually via workflow_dispatch
# - On pull request events: opened, reopened, or synchronized with new commits
# #
# Features:
# - Runs only for PRs targeting the 'Armbian' repository
# - Checks only modified shell scripts while ignoring non-shell files
# - Ensures accurate analysis by leveraging framework-specific mechanisms
# - Uses concurrency control to prevent redundant executions
# -----------------------------------------------------------------------------
on: on:
workflow_dispatch: workflow_dispatch:
@ -13,7 +26,7 @@ permissions:
contents: read contents: read
concurrency: concurrency:
group: pipeline-lint-${{github.event.pull_request.number}} group: pipeline-lint-${{ github.event.pull_request.number }}
cancel-in-progress: true cancel-in-progress: true
jobs: jobs:
@ -29,31 +42,25 @@ jobs:
fetch-depth: 2 fetch-depth: 2
- name: Get changed files - name: Get changed files
id: changed-files id: files
uses: tj-actions/changed-files@v45 uses: UplandJacob/retrieve-changed-files@v4
- name: List all changed files - name: List and analyze changed shell scripts
run: | run: |
# Utilize the framework's internal mechanism to check `lib/` and `extensions/` scripts.
# Use framework internal mechanism for checking `lib` and `extensions` code only one file is passed, # This ensures correct context resolution, avoiding false positives in variable usage.
# and source's are followed, thus the whole project is "understood" by shellcheck.
# For example, when checking individual files, one variable might be thought "unused" because it
# is only used in another file, which does not happen when done properly.
bash lib/tools/shellcheck.sh bash lib/tools/shellcheck.sh
ret=0 ret=0
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do for file in ${{ steps.files.outputs.all }}; do
# Ignore non-shell files
if [[ ! "${file}" =~ lib/|extensions/|.py|.service|.rules|.network|.netdev ]]; then if [[ ! "${file}" =~ lib/|extensions/|.py|.service|.rules|.network|.netdev ]]; then
if grep -qE "^#\!/.*bash" $file; then # Check if the file has a bash shebang and run ShellCheck
if grep -qE "^#\!/.*bash" "$file"; then
shellcheck --severity=error $file || ret=$? shellcheck --severity=error "$file" || ret=$?
fi fi
fi fi
done done
exit $ret exit $ret