security concern: github actions logs #1468
Description
I noticed from the CI logs that secrets are being pulled from github secrets.
This means that a malicious actor can push a malicious CI that prints out secrets to the CI logs - the burden is currently being placed on maintainers to check any changes that would be made to the CI - if they miss a malicious piece for whatever reason - secrets will leak.
My recommendation would be to use a different approach for in pipeline secrets - especially given that the project is open source.
Use a central secret management like 1Password for example. Does not need to be that exact one though - the core idea however is that secrets are loaded from an externally managed source.
Herewith you can have a few additional core controls:
- Make sure secrets are encrypted via the secret management server
- add ip restriction to expect login from the self-hosted runner
- ensure tokens have a short lifetime for that specific run
- etc...
This will reduce this security burden on the team and moreover ensure that any malicious workflows would not be able to get any secrets.
I've done a solution similar to this before while working at Polygon - that was an internal repo though.
I can set something like this up for Kakarot and overall refine the CI/CD pipelines.