From: Dmitry Misharov Date: Thu, 23 Oct 2025 10:26:31 +0000 (+0200) Subject: remove workflow_run trigger in quic workflows X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aeb5975f9bd8023b3ea8a3d21948ea46562316ad;p=thirdparty%2Fopenssl.git remove workflow_run trigger in quic workflows workflow_run runs in the context of the target repository rather than the fork repository, while also being typically triggerable by the latter. This can lead to attacker controlled code execution or unexpected action runs with context controlled by a malicious fork. https://docs.zizmor.sh/audits/#dangerous-triggers Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/28982) --- diff --git a/.github/workflows/build_quic_interop_container.yml b/.github/workflows/build_quic_interop_container.yml deleted file mode 100644 index 559daefcce..0000000000 --- a/.github/workflows/build_quic_interop_container.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: "Build openssl interop containers" - -on: - schedule: - - cron: '40 02 * * *' - workflow_dispatch: - -jobs: - update_quay_container: - if: github.repository == 'openssl/openssl' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - name: "log in to quay.io" - run: | - docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io - - name: "Build container" - run: | - cd test/quic-openssl-docker/ - docker build -t quay.io/openssl-ci/openssl-quic-interop:latest . - - name: "Push to quay" - run: | - docker push quay.io/openssl-ci/openssl-quic-interop:latest - - update_msquic_quay_container: - if: github.repository == 'openssl/openssl' - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - repository: microsoft/msquic - ref: main - submodules: recursive - - name: "log in to quay.io" - run: | - docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io - - name: Patch qns.Dockerfile - run: | - sed -i 's/RUN cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on ../RUN cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl ../' ./scripts/qns.Dockerfile - if grep -q "RUN cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl .." ./scripts/qns.Dockerfile; then echo "Patched successfully"; else exit 1; fi - - name: "Build container" - run: | - docker build -f ./scripts/qns.Dockerfile -t quay.io/openssl-ci/msquic-openssl:latest . - - name: "Push to quay" - run: | - docker push quay.io/openssl-ci/msquic-openssl:latest diff --git a/.github/workflows/run_quic_interop.yml b/.github/workflows/run_quic_interop.yml index 386315f77e..6569a7d1ce 100644 --- a/.github/workflows/run_quic_interop.yml +++ b/.github/workflows/run_quic_interop.yml @@ -1,13 +1,65 @@ name: "Run openssl quic interop testing" on: - workflow_run: - workflows: ["Build openssl interop containers"] - types: [completed] + schedule: + - cron: '40 02 * * *' workflow_dispatch: + inputs: + only_interop: + type: boolean + required: false + default: false + description: "Run only interop jobs (skip building/pushing containers)" + +permissions: {} jobs: + update_quay_container: + if: ${{ github.repository == 'openssl/openssl' && !inputs.only_interop }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "log in to quay.io" + run: | + docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io + - name: "Build container" + run: | + cd test/quic-openssl-docker/ + docker build -t quay.io/openssl-ci/openssl-quic-interop:latest . + - name: "Push to quay" + run: | + docker push quay.io/openssl-ci/openssl-quic-interop:latest + + update_msquic_quay_container: + if: ${{ github.repository == 'openssl/openssl' && !inputs.only_interop }} + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + repository: microsoft/msquic + ref: main + submodules: recursive + persist-credentials: false + - name: "log in to quay.io" + run: | + docker login -u openssl-ci+machine -p ${{ secrets.QUAY_IO_PASSWORD }} quay.io + - name: Patch qns.Dockerfile + run: | + sed -i 's/RUN cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on ../RUN cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl ../' ./scripts/qns.Dockerfile + if grep -q "RUN cmake -DQUIC_BUILD_TOOLS=on -DQUIC_ENABLE_LOGGING=on -DQUIC_TLS_LIB=openssl .." ./scripts/qns.Dockerfile; then echo "Patched successfully"; else exit 1; fi + - name: "Build container" + run: | + docker build -f ./scripts/qns.Dockerfile -t quay.io/openssl-ci/msquic-openssl:latest . + - name: "Push to quay" + run: | + docker push quay.io/openssl-ci/msquic-openssl:latest + run_quic_interop_openssl_client: + if: ${{ !inputs.only_interop }} + needs: [update_quay_container, update_msquic_quay_container] + runs-on: ubuntu-latest strategy: matrix: tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6] @@ -18,12 +70,12 @@ jobs: - servers: msquic-openssl tests: retry fail-fast: false - runs-on: ubuntu-latest - steps: + steps: &client_steps - uses: actions/checkout@v4 with: - repository: 'quic-interop/quic-interop-runner' - fetch-depth: 0 + repository: 'quic-interop/quic-interop-runner' + fetch-depth: 0 + persist-credentials: false - name: Install python requirements run: | for i in {1..3}; do pip install -r requirements.txt && break; sleep 10; done @@ -48,17 +100,14 @@ jobs: , role: "both" }}' ./implementations.json > ./implementations.tmp mv ./implementations.tmp implementations.json - - name: "Update to docker-compose 2.36 and docker engine 28.1.1" - run: | - mkdir -p ~/.docker/cli-plugins/ - curl -SL https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose - curl -SL "https://download.docker.com/linux/static/stable/x86_64/docker-28.1.1.tgz" -o ./docker-28.1.1.tgz - tar --strip-components=1 -xvzf docker-28.1.1.tgz - echo "$PWD" >> $GITHUB_PATH - chmod 755 ~/.docker/cli-plugins/docker-compose - chmod 755 ./docker - sudo mv ./dockerd $(which dockerd) - sudo systemctl restart docker + - name: Set up docker + uses: docker/setup-docker-action@3fb92d6d9c634363128c8cce4bc3b2826526370a # v4.4.0 + with: + version: "28.1.1" + - name: Set up docker compose + uses: docker/setup-compose-action@364cc21a5de5b1ee4a7f5f9d3fa374ce0ccde746 # v1.2.0 + with: + version: "v2.36.2" - name: Check docker version run: | docker version @@ -66,7 +115,11 @@ jobs: - name: "Run interop with openssl client" run: | python3 ./run.py -c openssl -t ${{ matrix.tests }} -s ${{ matrix.servers }} --log-dir ./logs-client -d + run_quic_interop_openssl_server: + if: ${{ !inputs.only_interop }} + needs: [update_quay_container, update_msquic_quay_container] + runs-on: ubuntu-latest strategy: matrix: tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6] @@ -75,15 +128,15 @@ jobs: - clients: mvfst tests: amplificationlimit fail-fast: false - runs-on: ubuntu-latest - steps: + steps: &server_steps - uses: actions/checkout@v4 with: - repository: 'quic-interop/quic-interop-runner' - fetch-depth: 0 + repository: 'quic-interop/quic-interop-runner' + fetch-depth: 0 + persist-credentials: false - name: Install python requirements run: | - for i in {1..3}; do pip install -r requirements.txt && break; sleep 10; done + for i in {1..3}; do pip install -r requirements.txt && break; done - name: Add tshark repo run: | for i in {1..3}; do sudo add-apt-repository ppa:wireshark-dev/stable && break; done @@ -105,21 +158,46 @@ jobs: , role: "both" }}' ./implementations.json > ./implementations.tmp mv ./implementations.tmp implementations.json - - name: "Update to docker-compose 2.36 and docker engine 28.1.1" - run: | - mkdir -p ~/.docker/cli-plugins/ - curl -SL https://github.com/docker/compose/releases/download/v2.36.0/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose - curl -SL "https://download.docker.com/linux/static/stable/x86_64/docker-28.1.1.tgz" -o ./docker-28.1.1.tgz - tar --strip-components=1 -xvzf docker-28.1.1.tgz - echo "$PWD" >> $GITHUB_PATH - chmod 755 ~/.docker/cli-plugins/docker-compose - chmod 755 ./docker - sudo mv ./dockerd $(which dockerd) - sudo systemctl restart docker + - name: Set up docker + uses: docker/setup-docker-action@3fb92d6d9c634363128c8cce4bc3b2826526370a # v4.4.0 + with: + version: "28.1.1" + - name: Set up docker compose + uses: docker/setup-compose-action@364cc21a5de5b1ee4a7f5f9d3fa374ce0ccde746 # v1.2.0 + with: + version: "v2.36.2" - name: Check docker version run: | docker version docker compose version - name: "Run interop with openssl server" run: | - python3 ./run.py -s openssl -t ${{ matrix.tests }} -c ${{ matrix.clients }} --log-dir ./logs-server -d + python3 ./run.py -s openssl -t "${{ matrix.tests }}" -c "${{ matrix.clients }}" --log-dir ./logs-server -d + + run_quic_interop_openssl_client_only: + if: ${{ inputs.only_interop }} + runs-on: ubuntu-latest + strategy: + matrix: + tests: [http3, transfer, handshake, retry, chacha20, resumption, multiplexing, ipv6] + servers: [quic-go, ngtcp2, mvfst, quiche, nginx, msquic, haproxy, msquic-openssl] + exclude: + - servers: msquic + tests: retry + - servers: msquic-openssl + tests: retry + fail-fast: false + steps: *client_steps + + run_quic_interop_openssl_server_only: + if: ${{ inputs.only_interop }} + runs-on: ubuntu-latest + strategy: + matrix: + tests: [http3, transfer, handshake, retry, chacha20, resumption, amplificationlimit, ipv6] + clients: [quic-go, ngtcp2, mvfst, quiche, msquic, openssl, chrome, msquic-openssl] + exclude: + - clients: mvfst + tests: amplificationlimit + fail-fast: false + steps: *server_steps