Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Remove usage of GitHub action caching from critical workflows #377

Open
georgewrmarshall opened this issue Jan 27, 2025 · 0 comments
Open

[Security] Remove usage of GitHub action caching from critical workflows #377

georgewrmarshall opened this issue Jan 27, 2025 · 0 comments
Assignees
@georgewrmarshall
Labels
team-design-system

Comments

@georgewrmarshall
Copy link
Contributor

Copy of https://github.com/MetaMask/MetaMask-planning/issues/3925

Context

An attack pattern is emerging where malicious actors are able to inject malicious code into the release of applications but exploiting the behaviour of caching in GitHub actions (also known as cache poisoning). In order to eliminate the possibility of this attack vector, we are requiring that all release workflows using GitHub's caching should either eliminate their usage of caching, or migrate to using GitHub artifacts instead.

You can learn more about this kind of attack by reading the following blog posts:

Which GitHub workflows require updating

Any workflow that uses GitHub caching & is responsible responsible for publishing changes, or has access to sensitive secrets is at risk. Here are the two ways that caching is commonly used in workflows at MetaMask:

  1. Using GitHub's actions/cache

    This action allows you to cache specific files you choose. (example)

     uses: actions/cache@v3
  ....

  2. Setting the cache option with actions/setup-node

    This action sets up node, but has optional configuration that lets you restore node modules from a cache. (example)

          uses: actions/setup-node@v4
        with:
          node-version-file: '.nvmrc'
          cache: 'yarn'

How do I resolve this issue?

Example pull request: MetaMask/metamask-module-template#257

If build performance is not a concern, you can resolve this issue by remove the usage of actions/cache (see 1. above), and usage of cache: ... for the actions/setup-node action (see 2. above) in your affected workflow.

If build performance is a concern, proceed to the next section about migrating from GitHub caching to GitHub artiacts.

Migrating from GitHub caching to GitHub Artifacts

Warning

If your repository is public, any artifacts created are made publicly avaliable for download. Do not use artifacts if you intend to cache sensitive information such as builds that contain secrets.

  1. First determine what files you were previously caching:

    a) If you were using the cache: yarn option with actions/setup-node, this means you were caching your node_modules directory.
    b) If you were using actions/cache, check the path argument to see which files or directories you were caching.

  2. Remove the code that was setting the cache, and replace it with code to upload your GitHub artifact:

    # Example of using build artifacts to cache 
- name: Upload build artifacts
  uses: actions/upload-artifact@v4
  with:
    # The name of the artifact will be used to download the artifacts later.
    name: example-github-artifact
    # After the retention period, artifacts are deleted.
    retention-days: 4
    # Use with caution. Including your `.git` directory in your GitHub artifact can leak GitHub access tokens.
    # Never use `include-hidden-files` true when creating an artifact in the root directory.
    # By default artifacts don't back up hidden files, but we require node_modules/.yarn-state.yml to be backed up.
    include-hidden-files: true
    # Replace the path with any files or directories you with to be included in your artifact.
    path: |
      ./dist

  3. Replace the code that was restoring data from the cache with code that downloads the artifact you created

  name: Setup Node
  uses: actions/setup-node@v4
  with:
    node-version-file: '.nvmrc'
-   cache: 'yarn'
-      - uses: actions/cache@v3
+      - uses: actions/download-artifact@v4
         with:
-          path: |
-            ./dist
-            ./node_modules/.yarn-state.yml
-          key: ${{ github.sha }}
+          name: example-github-artifact

Workflows known to be affected

Toggle list

Repository: abi-utils

Repository: accounts

Repository: accounts-chain-api

Repository: api-specs

Repository: auto-changelog

Repository: browser-passworder

Repository: core

Repository: design-tokens

Repository: docusaurus-openrpc

Repository: ens-resolver-snap

Repository: eslint-config

Repository: eth-json-rpc-middleware

Repository: eth-ledger-bridge-keyring

Repository: eth-query

Repository: eth-sig-util

Repository: eth-token-tracker

Repository: eth-trezor-keyring

Repository: gpt-txn-insights

Repository: KeyringController

Repository: metamask-developer-dashboard

Repository: metamask-sdk

Repository: message-signing-snap

Repository: nonce-tracker

Repository: phishing-warning

Repository: poc-btc-core

Repository: ppom-validator

Repository: rpc-errors

Repository: safe-event-emitter

Repository: scure-bip39

Repository: smart-transactions-controller

Repository: snap-4337-accounts

Repository: snap-bitcoin-wallet

Repository: snap-box

Repository: snap-institutional-wallet

Repository: snap-simple-keyring

Repository: snap-solana-wallet

Repository: snap-watch-only

Repository: snaps

Repository: snaps-registry

Repository: stake-sdk

Repository: swaps-controller

Repository: swaps-controller-release-staging-tmp-202405

Repository: swappable-obj-proxy

Repository: template-snap

Repository: test-bundler

Repository: test-dapp-multichain

Repository: test-snaps

Repository: utils
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@georgewrmarshall georgewrmarshall

Labels
team-design-system
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@georgewrmarshall