BRE-706 - Remediate compromised action (#368)

9 months ago · 2b86ba0d08
2 changed files with 25 additions and 3 deletions
--- a/.github/workflows/workflow-linter.yml
+++ b/.github/workflows/workflow-linter.yml
@ -12,21 +12,43 @@ on:
				@@ -12,21 +12,43 @@ on:
 jobs:
  lint:
    name: Lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Check out branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          repository: ${{ github.repository }}
-          fetch-depth: 0
+          fetch-depth: ${{ github.event_name == 'pull_request' && 2 || 0 }}
+
+      - name: Check changed files for workflow changes
+        id: changed-workflows
+        run: |
+            if ${{ github.event_name == 'pull_request' }}; then
+              changed_files=$(git diff --name-only -r HEAD^1 HEAD | xargs)
+            else
+              changed_files=$(git diff --name-only ${{ github.event.before }} ${{ github.event.after }} | xargs)
+            fi
+
+            count=$(( 0 ))
+            for file in $changed_files; do
+              if [[ "$file" == ".github/workflows/"* ]]; then
+                count=$(( $count + 1 ))
+              fi 
+            done
+
+            echo "Workflow files changed: $count"
+            echo "changed_files_count=$count" >> $GITHUB_OUTPUT

      - name: Set up Python 3.11
+        if: steps.changed-workflows.outputs.changed_files_count != '0'
        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
        with:
          python-version: "3.11"

      - name: Install bwwl binary
+        if: steps.changed-workflows.outputs.changed_files_count != '0'
        run: python -m pip install --upgrade bitwarden_workflow_linter

      - name: Lint
+        if: steps.changed-workflows.outputs.changed_files_count != '0'
        run: bwwl lint -f .github/workflows
--- a/lint-workflow/lint.py
+++ b/lint-workflow/lint.py
@ -209,7 +209,7 @@ def get_action_update(action_id):
				@@ -209,7 +209,7 @@ def get_action_update(action_id):

 def lint(filename):

-    supported_actions = {"act10ns/slack", "actions/cache", "actions/checkout", "actions/delete-package-versions", "actions/download-artifact", "actions/github-script", "actions/labeler", "actions/setup-dotnet", "actions/setup-java", "actions/setup-node", "actions/setup-python", "actions/stale", "actions/upload-artifact", "android-actions/setup-android", "Asana/create-app-attachment-github-action", "Azure/functions-action", "Azure/get-keyvault-secrets", "Azure/login", "azure/webapps-deploy", "bitwarden/sm-action", "checkmarx/ast-github-action", "chrnorm/deployment-action", "chrnorm/deployment-status", "chromaui/action", "cloudflare/pages-action", "convictional/trigger-workflow-and-wait", "crazy-max/ghaction-import-gpg", "crowdin/github-action", "dawidd6/action-download-artifact", "dawidd6/action-homebrew-bump-formula", "digitalocean/action-doctl", "docker/build-push-action", "docker/setup-buildx-action", "docker/setup-qemu-action", "dorny/test-reporter", "dtolnay/rust-toolchain", "futureware-tech/simulator-action", "hashicorp/setup-packer", "macauley/action-homebrew-bump-cask", "microsoft/setup-msbuild", "ncipollo/release-action", "peter-evans/close-issue", "ruby/setup-ruby", "samuelmeuli/action-snapcraft", "snapcore/action-build", "sonarsource/sonarcloud-github-action", "stackrox/kube-linter-action", "Swatinem/rust-cache", "SwiftDocOrg/github-wiki-publish-action", "SwiftDocOrg/swift-doc", "tj-actions/changed-files", "yogevbd/enforce-label-action"}
+    supported_actions = {"act10ns/slack", "actions/cache", "actions/checkout", "actions/delete-package-versions", "actions/download-artifact", "actions/github-script", "actions/labeler", "actions/setup-dotnet", "actions/setup-java", "actions/setup-node", "actions/setup-python", "actions/stale", "actions/upload-artifact", "android-actions/setup-android", "Asana/create-app-attachment-github-action", "Azure/functions-action", "Azure/get-keyvault-secrets", "Azure/login", "azure/webapps-deploy", "bitwarden/sm-action", "checkmarx/ast-github-action", "chrnorm/deployment-action", "chrnorm/deployment-status", "chromaui/action", "cloudflare/pages-action", "convictional/trigger-workflow-and-wait", "crazy-max/ghaction-import-gpg", "crowdin/github-action", "dawidd6/action-download-artifact", "dawidd6/action-homebrew-bump-formula", "digitalocean/action-doctl", "docker/build-push-action", "docker/setup-buildx-action", "docker/setup-qemu-action", "dorny/test-reporter", "dtolnay/rust-toolchain", "futureware-tech/simulator-action", "hashicorp/setup-packer", "macauley/action-homebrew-bump-cask", "microsoft/setup-msbuild", "ncipollo/release-action", "peter-evans/close-issue", "ruby/setup-ruby", "samuelmeuli/action-snapcraft", "snapcore/action-build", "sonarsource/sonarcloud-github-action", "stackrox/kube-linter-action", "Swatinem/rust-cache", "SwiftDocOrg/github-wiki-publish-action", "SwiftDocOrg/swift-doc", "yogevbd/enforce-label-action"}

    findings = []
    max_error_level = 0