From e2daf6f14045587614681bf6579480be63de6da0 Mon Sep 17 00:00:00 2001 From: Pauli Date: Sun, 16 May 2021 10:23:54 +1000 Subject: ci: remove the checksum CI script This script introduces a security vulnerability where the OpenSSL github repository can be modified which opens a window for an attacker. Reviewed-by: Matt Caswell Reviewed-by: Tim Hudson Reported-by: Nikita Stupin --- .github/workflows/checksums.yml | 71 ----------------------------------------- 1 file changed, 71 deletions(-) delete mode 100644 .github/workflows/checksums.yml (limited to '.github') diff --git a/.github/workflows/checksums.yml b/.github/workflows/checksums.yml deleted file mode 100644 index 5f444b639b..0000000000 --- a/.github/workflows/checksums.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: FIPS Checksums -on: [pull_request_target] -jobs: - apply-label: - runs-on: ubuntu-latest - steps: - - name: install unifdef - run: | - sudo apt-get update - sudo apt-get -yq --no-install-suggests --no-install-recommends --force-yes install unifdef - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.base.sha }} - - name: create build dirs - run: | - mkdir ./build-pristine - mkdir ./build - - name: config pristine - run: ../config enable-fips && perl configdata.pm --dump - working-directory: ./build-pristine - - name: make build_generated pristine - run: make -s build_generated - working-directory: ./build-pristine - - name: make fips-checksums pristine - run: make fips-checksums - working-directory: ./build-pristine - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - clean: false - - name: config - run: ../config enable-fips && perl configdata.pm --dump - working-directory: ./build - - name: make build_generated - run: make -s build_generated - working-directory: ./build - - name: make fips-checksums - run: make fips-checksums - working-directory: ./build - - name: update checksums pristine - run: touch providers/fips.checksum.new && make update-fips-checksums - working-directory: ./build-pristine - - name: make diff-fips-checksums - run: make diff-fips-checksums && echo "fips_unchanged=1" >> $GITHUB_ENV || echo "fips_changed=1" >> $GITHUB_ENV - working-directory: ./build - - name: set label - if: ${{ env.fips_changed }} - continue-on-error: true - uses: actions/github-script@v4 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels: ['severity: fips change'] - }) - - name: remove label - if: ${{ env.fips_unchanged }} - continue-on-error: true - uses: actions/github-script@v4 - with: - github-token: ${{secrets.GITHUB_TOKEN}} - script: | - github.issues.removeLabel({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - name: 'severity: fips change' - }) -- cgit v1.2.3