and I had a discuss

Question

< alessandrogario> < seph> < David Gibb> and I had a discussion recently and due to security concerns with GitHub Actions we believe the current model will persist Additionally the lack of broader control job start job queue etc via GH APIs is another challenge today However based on the above change we can take another look at this

alessandrogario · Answer

What are the concerns exactly I would have liked to store the credentials elsewhere

alessandrogario · Answer

and from the osquery org use a request to start an instance for us this would ensure that at the very worst a bad PR would never be able to steal the credentials

alessandrogario · Answer

More specifically I wanted to know what were the added difficulties compared to the built in GitHub Actions runners

seph · Answer

I don t have this well written So an ugly braindump github hosted stuff has some additional steps around minting a token for the runner running and then destroying But those hooks aren t really exposed for the self hosted ones You can mint tokens yes But you cannot ensure a runner only runs once

seph · Answer

You can kinda in that there are some wholly unsupported command line arguments that they left behind due to sloppy code but thre s some large github issues where they talk about how that can cause the servers to get confused and dispatch to dead runners

seph · Answer

The crux of it is that there is no github supported way to have a runner be ephemeral or run only once

seph · Answer

There are ways to hack it and ways to reduce the timing window where things might go badly but it just doesn t feel good And it feels like we re fighting github for it

seph · Answer

I think it s clear this isn t something they re going to support They ve had an internal PR languishing for a year

alessandrogario · Answer

what are exactly the security concerns we inherit from the self hosted runners that are not present in built in GitHub runners

alessandrogario · Answer

other than the AWS credentials that we can move outside the org

seph · Answer

There is no way to ensure the hosts state is reset between test runs

alessandrogario · Answer

And what is the reason we can t use the codebuild alternative

alessandrogario · Answer

I thought we were going to move to it but it seems like that is no longer the case

seph · Answer

Oh that s the current plan use the AWS codebuild for the arm builds

seph · Answer

I don t think GitHub s changes really address our concerns

alessandrogario · Answer

I may have read it wrong I thought the current model will persist meant we would have kept what we have now

seph · Answer

Yeah I m not sure I agree

alessandrogario · Answer

the GitHub changes are not that useful IMHO one could just make a legit PR first and then a rogue PR next

seph · Answer

Exactly

alessandrogario · Answer

once their name has been allowlisted

seph · Answer

They re targetting simple drive by crypto mining Where the vulnerability we see requires a careful attack

alessandrogario · Answer

I m still in favor of moving to codebuild if it works better

seph · Answer

I expect to move to codebuild just no time

seph · Answer

And the current stop gap is okay

seph · Answer

last week was school vacation so it was rough

Paul Roberts · Answer

If we want to move to CodeBuild we can help put together some example code that you all can take a look at

Paul Roberts · Answer

Candidly really disappointed that the GitHub APIs aren t more flexible so we could do this with Self Hosted Runners disappointed

Marcello Golfieri · Answer

re Ephemeral runner PFRs