ci: replace secrets.GITHUB_TOKEN with dd-octo-sts#3875
Conversation
lloeki
force-pushed
the
lloeki/dd-octo-sts
branch
from
f598baf to
89c8d32
Compare
🎉 All green!❄️ No new flaky tests detected 🎯 Code Coverage (details) 🔗 Commit SHA: 0725324 | Docs | Datadog PR Page | Give us feedback! |
Migrate all 4 GitHub Actions workflows from secrets.GITHUB_TOKEN to OIDC tokens minted by DataDog/dd-octo-sts-action. The token exchange is auditable and governed by chainguard policy files that explicitly declare which workflow, event, and ref pattern may request which permissions. Add a permissions block to add-asset-to-gh-release.yml which previously had none.
lloeki
force-pushed
the
lloeki/dd-octo-sts
branch
from
89c8d32 to
0725324
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0725324cf3
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| - name: Get GitHub Token via dd-octo-sts | ||
| id: generate-token | ||
| uses: DataDog/dd-octo-sts-action@96a25462dbcb10ebf0bfd6e2ccc917d2ab235b9a # v1.0.4 | ||
| with: | ||
| scope: DataDog/dd-trace-php | ||
| policy: self.auto-label-prs |
There was a problem hiding this comment.
This workflow now mints a write-scoped STS token during pull_request runs and then hands it to code from the checked-out PR (./github-actions-helpers/build.sh), which means forked PRs can execute attacker-controlled code with stronger permissions than the default fork token model. With secrets.GITHUB_TOKEN, fork PRs are read-only by default, but self.auto-label-prs grants issues: write and pull_requests: write, so a malicious fork can exfiltrate or abuse that token to mutate PR metadata in the base repo; the same pattern also appears in auto_check_snapshots.yml.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Good callout.
@bwoebi the problem here seems to be the need to checkout, which makes it depend on untrusted repo code that could leverage the token for mischief.
Contrast with this one which doesn't clone: https://github.com/DataDog/dd-trace-rb/blob/master/.github/workflows/pull-request-labeler.yml
That said, this is moot if external contributor PRs don't run this CI workflow (which I think it doesn't?)
2 participants
Description
Replace all
secrets.GITHUB_TOKENusage across 4 GitHub Actions workflows with OIDC tokens fromDataDog/dd-octo-sts-action.permissionsblock toadd-asset-to-gh-release.yml(previously had none)Reviewer checklist