express icon indicating copy to clipboard operation
express copied to clipboard

Improve pipelines

Open UlisesGascon opened this issue 4 months ago • 11 comments

Main Changes

This change include the pinning for the GItHub Actions dependencies (ce959ac) and the permissions definition for the pipeline (ea604fb)

Impact in the OSSF Scorecard

Screenshot 2024-02-02 at 16 46 53 Screenshot 2024-02-02 at 16 47 08

Context

Changes related

Team discussion related

  • Ref: https://github.com/expressjs/security-wg/issues/2
  • Report: https://kooltheba.github.io/openssf-scorecard-api-visualizer/#/projects/github.com/expressjs/express/commit/2a00da2067b7017f769c9100205a2a5f267a884b

Changelog

  • ce959ac chore: pin dependencies in the pipeline by @UlisesGascon
  • ea604fb chore: specify permissions in the pipeline by @UlisesGascon

UlisesGascon avatar Feb 02 '24 15:02 UlisesGascon

What is the npmCommand warnings referring to in that report output?

dougwilson avatar Feb 22 '24 03:02 dougwilson

What is the npmCommand warnings referring to in that report output?

I think the issue is with npm install --save-dev ${{ matrix.npm-i }}. I can ask the Scorecard Team for support on this, because I can see that the dependencies in the matrix.npm-i are pinned.

Take in account that until we don't merge https://github.com/expressjs/express/pull/5431 we are depending on the OSSF Scorecard CRON job to update the results. So the last scanned commit was 0e3ab6ec215fc297473323fb1e8d0df03033e774, here is the visual report

UlisesGascon avatar Feb 22 '24 09:02 UlisesGascon

Do we know if the dependabot updates (assuming we decide to use that) for these versions will take into account semverness? I know it doesn't normally (which is soooooo annoying and broken) but I thought there was a setting to disallow majors, I am not sure that would work with commit hashes.

Not blocking at all, but the more we lean into these the more general maintenance we need to do. IMO a better way is to move this kind of stuff to a shared workflow in .github and keep all the packages in the orgs pointing to one individual source we need to update. Does that description make sense?

wesleytodd avatar Feb 22 '24 16:02 wesleytodd

@wesleytodd

Do we know if the dependabot updates (assuming we decide to use that) for these versions will take into account semverness?

Dependabot should ignore deps pinned to commits. It just doesn't know what to do with them, so it will skip them.

jonchurch avatar Mar 26 '24 03:03 jonchurch

So the problem then is we don't get any updates. Which is maybe fine, but still this is a bad DX imo.

wesleytodd avatar Mar 26 '24 14:03 wesleytodd

Pinning these deps is part of the scorecard score and guidance recommendations, hence why they have been proposed this way.

jonchurch avatar Mar 27 '24 00:03 jonchurch

Yeah I get that, doesnt help make it any less of a UX problem though right? We still need to update them on a regular basis.

wesleytodd avatar Mar 27 '24 13:03 wesleytodd

@inigomarquinez I think that updating the dependencies might break the pipelines, I will have a look into it.

UlisesGascon avatar Apr 01 '24 11:04 UlisesGascon

Do we know if the dependabot updates (assuming we decide to use that) for these versions will take into account semverness?

Yes, it should support this approach. The comment is just to make it more human readable. The reason why we need to use commit hashes and not the tag reference directly is because the tags are not immutable so we can end up running something different that what we expect.

More context about the attack vector

UlisesGascon avatar Apr 01 '24 11:04 UlisesGascon

dependabot does update pinned dependencies. At least in all the projects where I use pinned dependencies in GitHub actions along with dependabot, it opens a new pull request to update them to the latest pinned dependency. It even updates the comment saying to which version it belongs to.

@wesleytodd

Do we know if the dependabot updates (assuming we decide to use that) for these versions will take into account semverness?

Dependabot should ignore deps pinned to commits. It just doesn't know what to do with them, so it will skip them.

inigomarquinez avatar Apr 01 '24 11:04 inigomarquinez

Frankly seeing this same change in many repos is going to not be something I am interested in dealing with. I am border line on this, but I think I am leaning toward: This shouldn't land until there is a way to centrally manage this across all the repos with a single update.

Which I think means that we should refactor many of the CICD setups to use shared worfklows from the .github repo.

wesleytodd avatar Apr 01 '24 13:04 wesleytodd