Skip to content

pagopa/example-good-repo-packages

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

example-good-repo-packages

This is a well repository to show how to modify a GitHub Package using write permission or GitHub Actions.

Reposiroty configuration:

  • main has branch protection enabled with a review from CODEOWNERS
  • anyone in PagoPA GitHub Organization has write permission on this repository
  • repository package is a docker image
  • packages doesn't inherit access from source repository
  • repository admins has write permission on the packages
  • GitHub Actions has no access to packages
  • a GitHub Bot has a write permission on this repository. We use a secret BOT_TOKEN to authenticate the bot with a personal access token. The secret is configured as described here https://github.com/orgs/pagopa/example-good-repo-secrets

You can check packages settings here https://github.com/orgs/pagopa/packages/container/example-good-repo-packages/settings

Safe scenario #1:

  • a user with write permission try to modify an existing docker image tagged v2 in packages using his personal PAT token. The push operation fails becasuse the user doesn't have write permission on packages.
docker login ghcr.io
> insert GITHUB_USERNAME
> insert GITHUB_PAT_TOKEN
docker build -f Dockerfile.evil  -t ghcr.io/pagopa/example-good-repo-packages:v2 .
docker image push ghcr.io/pagopa/example-good-repo-packages:v2

Safe scenario #2:

  • a user with write permission create a Pull Request to try get BOT_TOKEN value. The GitHub Action fails to start because only a protected branch can use prod environment (example Pull Request #1)

How to modify unsecure GitHub Packages?

See this example https://github.com/pagopa/example-good-repo-packages

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published