undefined | Better HN

0 pointscooljacob2046y ago0 comments

Why would a CI/CD need to permissions modify and commit code to a repo?

0 comments

Say your CI pipeline runs automated tests, builds the gem and pushes to Rubygems, it needs permissions to push to Rubygems.

So if an attacker compromises the API key used by that pipeline, they get the rights to push to Rubygems.

enneff6y ago

Actually publishing new versions seems like something that happens infrequently enough that it would be fine to require a manual auth to complete it. Given the potential risks it seems prudent.

raesene96y ago

I'd expect that very much depends on the software in question. As one example that I'm aware of, gvisor from Google delivers nightly builds. So they're building and pushing every single day.

It'd depend on the individual software library and of course as a consumer of many libraries you generally will have limited or no visibility of the practices of all your dependencies.

2 more replies

zbentley6y ago

Absolutely agree. One-click deploys are nice, but in some circumstances not worth the cost. The manual component can also be polished to the point where it's not that arduous (think github login with 2FA and clicking the "merge" button).

fahrradflucht6y ago

The argument for automated releases is always that it is quite easy to do silly mistakes like forgetting a build step while doing manual releases. This also happened to high profile npm packages in the past and people complained that there was no automation.

1 more reply

C4stor6y ago

I doesn't seem hard to imagine a CI pipeline that sends an email/sms for validation and waits an affirmative answer before continuing. I have no idea how to receive texts on a server, but sending and receiving emails is super easy.

j / k navigate · click thread line to collapse

0 comments

raesene96y ago

Say your CI pipeline runs automated tests, builds the gem and pushes to Rubygems, it needs permissions to push to Rubygems.

So if an attacker compromises the API key used by that pipeline, they get the rights to push to Rubygems.

enneff6y ago

Actually publishing new versions seems like something that happens infrequently enough that it would be fine to require a manual auth to complete it. Given the potential risks it seems prudent.

raesene96y ago

I'd expect that very much depends on the software in question. As one example that I'm aware of, gvisor from Google delivers nightly builds. So they're building and pushing every single day.

It'd depend on the individual software library and of course as a consumer of many libraries you generally will have limited or no visibility of the practices of all your dependencies.

2 more replies

zbentley6y ago

fahrradflucht6y ago

1 more reply

C4stor6y ago

j / k navigate · click thread line to collapse