diff options
| author | Pauli <pauli@openssl.org> | 2021-05-16 10:23:54 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-05-16 10:23:54 +1000 |
| commit | e2daf6f14045587614681bf6579480be63de6da0 (patch) | |
| tree | 77954c430c39eb18c40c1505b1b1f6b647bfcb6f | |
| parent | 6dc56df26c41666ee5138da6c97bdb400fd03025 (diff) | |
ci: remove the checksum CI script
This script introduces a security vulnerability where the OpenSSL github
repository can be modified which opens a window for an attacker.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reported-by: Nikita Stupin
| -rw-r--r-- | .github/workflows/checksums.yml | 71 |
1 files changed, 0 insertions, 71 deletions
diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml deleted file mode 100644 index 5f444b639b..0000000000 --- a/.github/workflows/checksums.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: FIPS Checksums -on: [pull_request_target] -jobs: - apply-label: - runs-on: ubuntu-latest - steps: - - name: install unifdef - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.base.sha }} - - name: create build dirs - run: | - mkdir ./build-pristine - mkdir ./build - - name: config pristine - run: ../config enable-fips && perl configdata.pm --dump - working-directory: ./build-pristine - - name: make build_generated pristine - run: make -s build_generated - working-directory: ./build-pristine - - name: make fips-checksums pristine - run: make fips-checksums - working-directory: ./build-pristine - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - clean: false - - name: config - run: ../config enable-fips && perl configdata.pm --dump - working-directory: ./build - - name: make build_generated - run: make -s build_generated - working-directory: ./build - - name: make fips-checksums - run: make fips-checksums - working-directory: ./build - - name: update checksums pristine - run: touch providers/fips.checksum.new && make update-fips-checksums - working-directory: ./build-pristine - - name: make diff-fips-checksums - run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV - working-directory: ./build - - name: set label - if: ${{ env.fips_changed }} - continue-on-error: true - uses: actions/github-script@v4 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['severity: fips change'] - }) - - name: remove label - if: ${{ env.fips_unchanged }} - continue-on-error: true - uses: actions/github-script@v4 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.issues.removeLabel({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - name: 'severity: fips change' - }) |