[Security] Remove usage of GitHub action caching from critical workflows #377
Description
Copy of https://github.com/MetaMask/MetaMask-planning/issues/3925
Context
An attack pattern is emerging where malicious actors are able to inject malicious code into the release of applications but exploiting the behaviour of caching in GitHub actions (also known as cache poisoning). In order to eliminate the possibility of this attack vector, we are requiring that all release workflows using GitHub's caching should either eliminate their usage of caching, or migrate to using GitHub artifacts instead.
You can learn more about this kind of attack by reading the following blog posts:
- https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/
- https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/
- https://socket.dev/blog/ultralytics-pypi-package-compromised-through-github-actions-cache-poisoning
Which GitHub workflows require updating
Any workflow that uses GitHub caching & is responsible responsible for publishing changes, or has access to sensitive secrets is at risk. Here are the two ways that caching is commonly used in workflows at MetaMask:
-
Using GitHub's
actions/cacheThis action allows you to cache specific files you choose. (example)
uses: actions/cache@v3 ....
-
Setting the
cacheoption withactions/setup-nodeThis action sets up node, but has optional configuration that lets you restore node modules from a cache. (example)
uses: actions/setup-node@v4 with: node-version-file: '.nvmrc' cache: 'yarn'
How do I resolve this issue?
Example pull request: MetaMask/metamask-module-template#257
If build performance is not a concern, you can resolve this issue by remove the usage of actions/cache (see 1. above), and usage of cache: ... for the actions/setup-node action (see 2. above) in your affected workflow.
If build performance is a concern, proceed to the next section about migrating from GitHub caching to GitHub artiacts.
Migrating from GitHub caching to GitHub Artifacts
Warning
If your repository is public, any artifacts created are made publicly avaliable for download. Do not use artifacts if you intend to cache sensitive information such as builds that contain secrets.
-
First determine what files you were previously caching:
a) If you were using the
cache: yarnoption withactions/setup-node, this means you were caching yournode_modulesdirectory.
b) If you were usingactions/cache, check the path argument to see which files or directories you were caching. -
Remove the code that was setting the cache, and replace it with code to upload your GitHub artifact:
# Example of using build artifacts to cache - name: Upload build artifacts uses: actions/upload-artifact@v4 with: # The name of the artifact will be used to download the artifacts later. name: example-github-artifact # After the retention period, artifacts are deleted. retention-days: 4 # Use with caution. Including your `.git` directory in your GitHub artifact can leak GitHub access tokens. # Never use `include-hidden-files` true when creating an artifact in the root directory. # By default artifacts don't back up hidden files, but we require node_modules/.yarn-state.yml to be backed up. include-hidden-files: true # Replace the path with any files or directories you with to be included in your artifact. path: | ./dist
-
Replace the code that was restoring data from the cache with code that downloads the artifact you created
name: Setup Node
uses: actions/setup-node@v4
with:
node-version-file: '.nvmrc'
- cache: 'yarn'- - uses: actions/cache@v3
+ - uses: actions/download-artifact@v4
with:
- path: |
- ./dist
- ./node_modules/.yarn-state.yml
- key: ${{ github.sha }}
+ name: example-github-artifactWorkflows known to be affected
Toggle list
Repository: abi-utils
- Affected release workflow: publish-release.yml
Repository: accounts
- Affected release workflow: publish-release.yml
Repository: accounts-chain-api
- Affected release workflow: publish-release.yml
Repository: api-specs
- Affected release workflow: publish-release.yml
Repository: auto-changelog
- Affected release workflow: publish-release.yml
Repository: browser-passworder
- Affected release workflow: publish-release.yml
Repository: core
- Affected release workflow: publish-release.yml
Repository: design-tokens
- Affected release workflow: publish-release.yml
Repository: docusaurus-openrpc
- Affected release workflow: publish-release.yml
Repository: ens-resolver-snap
- Affected release workflow: publish-release.yml
Repository: eslint-config
- Affected release workflow: publish-release.yml
Repository: eth-json-rpc-middleware
- Affected release workflow: publish-release.yml
Repository: eth-ledger-bridge-keyring
- Affected release workflow: publish-release.yml
Repository: eth-query
- Affected release workflow: publish-release.yml
Repository: eth-sig-util
- Affected release workflow: publish-docs.yml
- Affected release workflow: publish-release.yml
Repository: eth-token-tracker
- Affected release workflow: publish-release.yml
Repository: eth-trezor-keyring
- Affected release workflow: publish-release.yml
Repository: gpt-txn-insights
- Affected release workflow: publish-release.yml
Repository: KeyringController
- Affected release workflow: publish-release.yml
Repository: metamask-developer-dashboard
- Affected release workflow: publish-package.yaml
Repository: metamask-sdk
- Affected release workflow: publish-release.yml
Repository: message-signing-snap
- Affected release workflow: publish-release.yml
Repository: nonce-tracker
- Affected release workflow: publish-release.yml
Repository: phishing-warning
- Affected release workflow: publish-release.yml
Repository: poc-btc-core
- Affected release workflow: publish-release.yml
Repository: ppom-validator
- Affected release workflow: publish-release.yml
Repository: rpc-errors
- Affected release workflow: publish-release.yml
Repository: safe-event-emitter
- Affected release workflow: publish-release.yml
Repository: scure-bip39
- Affected release workflow: publish-release.yml
Repository: smart-transactions-controller
- Affected release workflow: publish-release.yml
Repository: snap-4337-accounts
- Affected release workflow: publish-release.yml
Repository: snap-bitcoin-wallet
- Affected release workflow: publish-release.yml
Repository: snap-box
- Affected release workflow: publish-release.yml
Repository: snap-institutional-wallet
- Affected release workflow: publish-release.yml
Repository: snap-simple-keyring
- Affected release workflow: publish-release.yml
Repository: snap-solana-wallet
- Affected release workflow: publish-release.yml
Repository: snap-watch-only
- Affected release workflow: publish-release.yml
Repository: snaps
- Affected release workflow: publish-release.yml
Repository: snaps-registry
- Affected release workflow: publish-release.yml
Repository: stake-sdk
- Affected release workflow: publish-release.yml
Repository: swaps-controller
- Affected release workflow: publish-release.yml
Repository: swaps-controller-release-staging-tmp-202405
- Affected release workflow: publish-release.yml
Repository: swappable-obj-proxy
- Affected release workflow: publish-release.yml
Repository: template-snap
- Affected release workflow: publish-release.yml
Repository: test-bundler
- Affected release workflow: publish-release.yml
Repository: test-dapp-multichain
- Affected release workflow: publish-release.yml
Repository: test-snaps
- Affected release workflow: publish-release.yml
Repository: utils
- Affected release workflow: publish-release.yml