Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can I add myself to privileged-requester.yaml or set commitVerification: false in the PR and get auto approved/impersonate? #177

Open
lawrencegripper opened this issue Sep 25, 2024 · 3 comments
Open

Can I add myself to privileged-requester.yaml or set commitVerification: false in the PR and get auto approved/impersonate? #177

lawrencegripper opened this issue Sep 25, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@lawrencegripper
Copy link

lawrencegripper commented Sep 25, 2024
edited
Loading

Sorry if there is a mitigation in here I've missed, wanted to validate if this was possible.

Is it possible, for example, to edit the privileged-requester.yaml file in the PR where I make my changes so that it includes my user as a privileged requestor?

In a similar issue to the one @nobe4 mentioned 👇 , could I set commitVerification to false in the branch to allow impersonation and then push as the bot user with unsigned commits?

I think these would be mitigated by reading the configuration from the default branch rather than from the PR branch but I'm not sure how to work that with
@lawrencegripper lawrencegripper changed the title Can I add myself to privileged-requester.yaml in the PR and get auto approved? Can I add myself to privileged-requester.yaml or set commitVerification: false in the PR and get auto approved/impersonate? Sep 25, 2024
@GrantBirki
Copy link
Member

👋 Hey @lawrencegripper! Here are some of the answers to which you seek

Is it possible, for example, to edit the privileged-requester.yaml file in the PR where I make my changes so that it includes my user as a privileged requestor?

The method that fetches the privileged-requester config looks at the main branch by default.

In a similar issue to the one @nobe4 mentioned 👇 , could I set commitVerification to false in the branch to allow impersonation and then push as the bot user with unsigned commits?

I do believe that this would be possible due to the nature in which Actions works. Perhaps a safer option would be to include it in the config that lives on the main branch and inform the Action to always read from there rather than from its own config that can be altered on PRs?

@lawrencegripper
Copy link
Author

lawrencegripper commented Sep 25, 2024
edited
Loading

The method that fetches the privileged-requester config looks at the main branch by default.

Ah nice ❤️

I do believe that this would be possible due to the nature in which Actions works.

Yeah this is the route we try and use on Heaven when reading configuration that is enforcing/permissions related, we try and always read from the main branch. It's not always possible tho and sometimes we dont' get it right.

@GrantBirki GrantBirki self-assigned this Sep 25, 2024
@GrantBirki
Copy link
Member

IMO we need to update this Action with a new major version (breaking change) that ensures all config options related to security live on the main branch outside of the Action's config

@GrantBirki GrantBirki added the enhancement New feature or request label Sep 25, 2024
@GrantBirki GrantBirki removed their assignment Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lawrencegripper @GrantBirki