From: Dmitry Misharov Date: Thu, 23 Oct 2025 10:29:34 +0000 (+0200) Subject: remove workflow_run trigger in fips and abiddif workflows X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8948ccdf03435368cd894b944b116e6c5a17ec59;p=thirdparty%2Fopenssl.git remove workflow_run trigger in fips and abiddif workflows workflow_run runs in the context of the target repository rather than the fork repository, while also being typically triggerable by the latter. This can lead to attacker controlled code execution or unexpected action runs with context controlled by a malicious fork. https://docs.zizmor.sh/audits/#dangerous-triggers Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28982) --- diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 22b7da2257..e185c59d63 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -14,6 +14,8 @@ permissions: jobs: compute-checksums: runs-on: ubuntu-latest + outputs: + fips_status: ${{ steps.fips_result.outputs.fips_status }} steps: - name: install unifdef run: | @@ -65,19 +67,24 @@ jobs: cp -a build-pristine/providers/fips.module.sources.new source/providers/fips.module.sources cp -a build-pristine/providers/fips-sources.checksums.new source/providers/fips-sources.checksums cp -a build-pristine/providers/fips.checksum.new source/providers/fips.checksum - - name: make diff-fips-checksums - run: make diff-fips-checksums && touch ../artifact/fips_unchanged || ( touch ../artifact/fips_changed ; echo FIPS CHANGED ) - working-directory: ./build - - name: save PR number - run: echo ${{ github.event.number }} > ./artifact/pr_num - - name: save artifact - uses: actions/upload-artifact@v4 - with: - name: fips_checksum - path: artifact/ + - id: fips_result + name: diff-fips-checksums (record status) + run: | + set +e + make -C build diff-fips-checksums + rc=$? + if [ $rc -eq 0 ]; then + echo "fips_status=unchanged" >> "$GITHUB_OUTPUT" + else + echo "fips_status=changed" >> "$GITHUB_OUTPUT" + echo "FIPS CHANGED" + fi + exit 0 compute-abidiff: runs-on: ubuntu-latest + outputs: + abi_status: ${{ steps.abi_result.outputs.abi_status }} env: BUILD_OPTS: -g --strict-warnings enable-ktls enable-fips enable-egd enable-ec_nistp_64_gcc_128 enable-md2 enable-rc5 enable-sctp enable-ssl3 enable-ssl3-method enable-trace enable-zlib enable-zstd steps: @@ -112,12 +119,73 @@ jobs: - name: make run: make -s -j4 working-directory: ./build - - name: abidiff - run: abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so && touch ./artifact/abi_unchanged || ( touch ./artifact/abi_changed ; echo ABI CHANGED ) - - name: save PR number - run: echo ${{ github.event.number }} > ./artifact/pr_num - - name: save artifact - uses: actions/upload-artifact@v4 + - id: abi_result + name: abidiff (record status) + run: | + set +e + abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libcrypto.so ./build/libcrypto.so \ + && abidiff --headers-dir1 build-pristine/include/openssl --headers-dir2 build/include/openssl --drop-private-types ./build-pristine/libssl.so ./build/libssl.so + rc=$? + if [ $rc -eq 0 ]; then + echo "abi_status=unchanged" >> "$GITHUB_OUTPUT" + else + echo "abi_status=changed" >> "$GITHUB_OUTPUT" + echo "ABI CHANGED" + fi + exit 0 + + apply-label: + permissions: + contents: read + pull-requests: write + needs: [compute-checksums, compute-abidiff] + runs-on: ubuntu-latest + steps: + - name: Apply/Remove labels (github-script) + uses: actions/github-script@v7 + env: + PR_NUM: ${{ github.event.number }} + FIPS_STATUS: ${{ needs.compute-checksums.outputs.fips_status }} + ABI_STATUS: ${{ needs.compute-abidiff.outputs.abi_status }} with: - name: abidiff - path: artifact/ + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const prNum = Number(process.env.PR_NUM); + const fipsStatus = process.env.FIPS_STATUS; + const abiStatus = process.env.ABI_STATUS; + const owner = context.repo.owner; + const repo = context.repo.repo; + + const FIPS_LABEL = 'severity: fips change'; + const ABI_LABEL = 'severity: ABI change'; + + async function ensureRemoved(label) { + const { data } = await github.rest.issues.listLabelsOnIssue({ owner, repo, issue_number: prNum }); + const exists = data.some(l => l.name === label); + if (exists) { + await github.rest.issues.removeLabel({ owner, repo, issue_number: prNum, name: label }); + core.info(`Removed label: ${label}`); + } else { + core.info(`Label not present: ${label}`); + } + } + + // FIPS + if (fipsStatus === 'changed') { + await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [FIPS_LABEL] }); + core.info(`Added label: ${FIPS_LABEL}`); + } else if (fipsStatus === 'unchanged') { + await ensureRemoved(FIPS_LABEL); + } else { + core.warning(`Unknown FIPS status: ${fipsStatus}`); + } + + // ABI + if (abiStatus === 'changed') { + await github.rest.issues.addLabels({ owner, repo, issue_number: prNum, labels: [ABI_LABEL] }); + core.info(`Added label: ${ABI_LABEL}`); + } else if (abiStatus === 'unchanged') { + await ensureRemoved(ABI_LABEL); + } else { + core.warning(`Unknown ABI status: ${abiStatus}`); + } diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml deleted file mode 100644 index ad175abc3f..0000000000 --- a/.github/workflows/fips-label.yml +++ /dev/null @@ -1,141 +0,0 @@ -# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. -# -# Licensed under the Apache License 2.0 (the "License"). You may not use -# this file except in compliance with the License. You can obtain a copy -# in the file LICENSE in the source distribution or at -# https://www.openssl.org/source/license.html - -name: FIPS and ABI Changed Label -on: - workflow_run: - workflows: ["FIPS Check and ABIDIFF"] - types: - - completed - -permissions: - contents: read - -jobs: - apply-label: - permissions: - actions: read - pull-requests: write - runs-on: ubuntu-latest - if: ${{ github.event.workflow_run.event == 'pull_request' }} - steps: - - name: 'Download fipscheck artifact' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - script: | - var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{github.event.workflow_run.id }}, - }); - var matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "fips_checksum" - })[0]; - var download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - var fs = require('fs'); - fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data)); - - run: unzip artifact.zip - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - name: 'Check artifact and apply' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - var fs = require('fs'); - var pr_num = Number(fs.readFileSync('./pr_num')); - if ( fs.existsSync('./fips_changed') ) { - github.rest.issues.addLabels({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['severity: fips change'] - }); - } else if ( fs.existsSync('./fips_unchanged') ) { - var labels = await github.rest.issues.listLabelsOnIssue({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo - }); - - for ( var label in labels.data ) { - if (labels.data[label].name == 'severity: fips change') { - github.rest.issues.removeLabel({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - name: 'severity: fips change' - }); - } - } - } - - name: 'Cleanup artifact' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - run: rm artifact.zip pr_num - - - name: 'Download abidiff artifact' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - script: | - var artifacts = await github.rest.actions.listWorkflowRunArtifacts({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: ${{github.event.workflow_run.id }}, - }); - var matchArtifact = artifacts.data.artifacts.filter((artifact) => { - return artifact.name == "abidiff" - })[0]; - var download = await github.rest.actions.downloadArtifact({ - owner: context.repo.owner, - repo: context.repo.repo, - artifact_id: matchArtifact.id, - archive_format: 'zip', - }); - var fs = require('fs'); - fs.writeFileSync('${{github.workspace}}/artifact.zip', Buffer.from(download.data)); - - run: unzip artifact.zip - if: ${{ github.event.workflow_run.conclusion == 'success' }} - - name: 'Check artifact and apply' - if: ${{ github.event.workflow_run.conclusion == 'success' }} - uses: actions/github-script@v7 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - var fs = require('fs'); - var pr_num = Number(fs.readFileSync('./pr_num')); - if ( fs.existsSync('./abi_changed') ) { - github.rest.issues.addLabels({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['severity: ABI change'] - }); - } else if ( fs.existsSync('./abi_unchanged') ) { - var labels = await github.rest.issues.listLabelsOnIssue({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo - }); - - for ( var label in labels.data ) { - if (labels.data[label].name == 'severity: ABI change') { - github.rest.issues.removeLabel({ - issue_number: pr_num, - owner: context.repo.owner, - repo: context.repo.repo, - name: 'severity: ABI change' - }); - } - } - }