Skip to content

chore: auto merge dependabot PRs for patch updates #16222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 22, 2025
Merged

chore: auto merge dependabot PRs for patch updates #16222

merged 4 commits into from
Jan 22, 2025

Conversation

matifali
Copy link
Member

@matifali matifali requested a review from dannykopping January 22, 2025 09:21
matifali
matifali commented Jan 22, 2025
View reviewed changes
.github/workflows/contrib.yaml
Comment on lines -47 to -51
- name: Harden Runner
uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
with:
egress-policy: audit

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing these as they do not provide any value in this workflow.
Also, this does not affect the OpenSSF score.

@matifali matifali changed the title chore: auto merge dependabot PRs chore: auto merge dependabot PRs for patch updates Jan 22, 2025
dannykopping
dannykopping reviewed Jan 22, 2025
View reviewed changes
.github/workflows/contrib.yaml
runs-on: ubuntu-latest
if: github.event_name == 'pull_request_target'
if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'coder/coder'
Copy link
Contributor

@dannykopping dannykopping Jan 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems far too flimsy; is there no way we can reference a user by ID?

This workflow has to be crazy hardened if we're going to enable it.

See also: https://www.synacktiv.com/en/publications/github-actions-exploitation-dependabot
I have not read it fully; I'm focused on other tasks today

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have been doing it at other places in ci.yaml too.

Also, they suggest we follow the GitHub docs. See: https://www.synacktiv.com/en/publications/github-actions-exploitation-dependabot#footnote4_i8j88po

And we are exactly following that.

As far as I understand, the exploit only works when using pull_request_target, and I have changed that to pull_request as per GitHub's recommendation.
See: https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also trpc fixed it by updating github.actor --> github.event.pull_request.user.login
See: trpc/trpc@8187594

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://api.github.com/users/dependabot[bot]

Can we not reference the ID instead? I wonder why they suggest login instead; feels flimsy.

ethanndickson
ethanndickson approved these changes Jan 22, 2025
View reviewed changes
@matifali matifali requested a review from dannykopping January 22, 2025 10:53
@matifali
Update pull request event types in workflow
fb17a7c 
This will ensure we run on label chnages.
ethanndickson
ethanndickson approved these changes Jan 22, 2025
View reviewed changes
Copy link
Member

@ethanndickson ethanndickson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

dannykopping
dannykopping approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@dannykopping dannykopping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but I'd feel a lot more comfortable if we had some oversight of this in Slack

For example, every automerge for these PRs notifies a specific channel which we can check from time to time.

@matifali
Copy link
Member Author

For example, every automerge for these PRs notifies a specific channel which we can check from time to time.

We can do that. I am holding to merge and see if I can squeeze within the current PR.

@matifali
Copy link
Member Author

LGTM but I'd feel a lot more comfortable if we had some oversight of this in Slack
For example, every automerge for these PRs notifies a specific channel which we can check from time to time.

This is a bit tricky, as we are only enabling auto merge but would still need to wait for the CI to pass. We need to wait for the PR to merge before we send the notification.

I will come to this in a follow up.

@matifali matifali merged commit f495ff0 into main Jan 22, 2025
30 checks passed
@matifali matifali deleted the atif/auto-merge-dependabot-PRs branch January 22, 2025 16:24
@github-actions github-actions bot locked and limited conversation to collaborators Jan 22, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dannykopping dannykopping dannykopping approved these changes

@ethanndickson ethanndickson ethanndickson approved these changes

Assignees

@matifali matifali

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@matifali @dannykopping @ethanndickson