Include PR info into release version #384
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Apparently, any PR to this repo whether made by untrusted 3rd-party or by a member of Buildkite team which successfully ran CI publishes:
They get versioned via
git describe
like so:Where
g59acf83
inghcr.io/buildkite/agent-stack-k8s/controller:0.15.0-5-g59acf83
indicates a short commit sha.The security issue here is that for a typical end user who wants to grab what they think is latest build they just go to the packages linked right on GitHub and grab a latest build like the
controller:0.15.0-5-g59acf83
But in reality
controller:0.15.0-5-g59acf83
is build from an unmerged PR #381!In worst case scenario such PRs can be made by a malicious 3rd-party doing god knows what like leaking user credentials or doing Remote Code Execution in their CI setup, PRs are not yet merged onto main branch of original repo but already appear in the available packages list: here is controller build from my old PR as I found out now https://github.com/buildkite/agent-stack-k8s/pkgs/container/agent-stack-k8s%2Fcontroller/218244275?tag=0.11.0-1-g43e4777
As of right now if I understand correctly a member of Buildkite team needs to manually approve CI to run on a 3rd-party PR, which should prevent malicious code from being published, but for the end user nothing indicates the difference between the releases on the package page.
This PR adds PR information into the release version name so it's clear that you're not taking some latest main branch commit release:
controller:0.15.0-5-g59acf83
→controller:0.15.0-5-g59acf83-PR-381
I do want to emphasize that having 3rd-party PRs release as packages is actually very useful for testing the changes by the community and I'd love Buildkite to keep that feature, but to do so in a secure manner the release names need to clearly indicate that it is an untrusted 3rd-party PR release.