REL: implement SPEC 8 #166
Conversation
|
Hi @matthewfeickert! I'm taking a look at implementing SPEC 8 for this repo and I've checked off what I think is done in the description of this PR. Of the unchecked boxes, what do you think about which ones are required/optional? |
|
Thanks @lucascolley. I'm in meetings all day today so if I don't get to this before EOD please ping me on any and all channels of communication. 👍 |
@lucascolley This is great that you're working to adopt SPEC 8, so thank you. 👍 I'll do my best to summarize things, but I'll also tag @tupui, @juanis2112, and @lagru who might have some additional thoughts.
This is more just trying to reinforce the "4 eyes" policy that having at least two people look at something (1 reviewer who isn't the author) is a great way to catch bugs before they enter into the workflow and also ensure that accidental security mistakes that are just from small human error don't have time to become exploits.
I again think that this is a solid idea in general, given that anyone can make commits as anyone else on GitHub by just commiting with another person's author information. So if you think that projects could be at risk of people trying impersonation attacks, having known signatures can provide an additional level of verification.
This is just a "no brainer" to me. I've definitely thought that I'm working on a branch that I could have sworn I checked out and then just before I run If memory serves, I think that @lagru (?) had strong thoughts here, but this is just an additional step to make sure that you're only allowing the workflows you think you're allowing to run. You can imagine that in a high activity week with overworked maintainers that someone could sneak in a small additional GitHub Actions workflow to a change in CI that looks benign but allows for malicious code to run once merged. To address your question of "required/optional", these are all recommendations, and we aren't going to police you. So they're all "optional" to an extent, but we'd suggest that people consider how a little bit of friction up front can avoid a lot of pain in the long run. It is also worth mentioning that in the time since SPEC 8 was accepted there has been a lot of work by great teams in this space that have simplified and hardened things even more. So SPEC 8 could probably do with some updating to 2025 recommendations of workflows. |
Agreed, I turned on branch protection for |
|
This is quite topical (maybe even what triggered this PR?), and makes sense in principle. I'd add though that if one is worried about this, |
That's actually just a coincidence (I noticed the SPEC 0 badge and wondered whether there were any other specs that made sense for small projects). RE points above:
I would be happy with this, but at the minute the 'release team' has just been me.
While I've personally started signing commits as of yesterday, I'm concerned that this would be a barrier to entry for new contributors.
It sounds like I'd be happy to follow the recommendations in the SPEC for this, then, but that may not have a big impact if we keep using pre-commit. |
Are you running
Yeah, again these are recommendations in general that you need to adapt to the "on the ground" reality. If you're a single maintainer and no one else works on the project with you at all, then you don't have much choice.
These are recommendations for maintainers, not restrictions for all contributors. |
Is there a way to require signed commits just from maintainers / just during the release process? I guess create a separate branch for releasing? |
Ah excellent question that I don't know off the top of my head, and would be worth looking up. It might not matter, as in the rule protection set the "Require signed commits" options reads
here refs are the target branches or tags, so you could create a ruleset that restricts this to to release refs (potentially), which would only be coming from maintainers. Seems like this should maybe get clarified though in a revision to the SPEC. |
Not in this project, but I'm commenting on the overall security aspect here, we're not reviewing SPEC 8 itself. Also, there are many projects who do indeed run it in CI on the repo from which releases are made - which is part of the release process I'd say (can potentially access repository secrets). Anyway, whitelisting actions seems perfectly fine, not that cumbersome. Just pointing out there's more to do here. |
would you be able to whitelist the currently used actions, Ralf? After that, this should be ready to merge |
|
Done: 
Observation: pinning to commit hashes helps more than whitelisting probably, since there are a lot of actions here and each of those may depend on yet more actions, pre-commit hooks, and packages from other individuals. The surface area is still quite large. Commit hash pinning insulates from that pretty well, as long as the pins aren't updated aggressively, since no one actually reviews such updates by checking what happened between the old and new commit. |
|
thanks Ralf and all! |
|
It looks like there is a problem: @matthewfeickert have you implemented this elsewhere? Do exact commit hashes need to be whitelisted in the admin settings?! |
@rgommers it looks like we may instead want e.g. |
|
updated, I hope that fixes it |
* CI: use hashes for actions * CI: restrict permissions * DOC: add SPEC 8 badge * lint
RELEASING.mdmainbranch