diff --git a/scripts/ci/validate-workflow-security.js b/scripts/ci/validate-workflow-security.js index 22018b3b..bdefcdb7 100644 --- a/scripts/ci/validate-workflow-security.js +++ b/scripts/ci/validate-workflow-security.js @@ -25,6 +25,12 @@ const RULES = [ ]; const WRITE_PERMISSION_PATTERN = /^\s*(?:contents|issues|pull-requests|actions|checks|deployments|discussions|id-token|packages|pages|repository-projects|security-events|statuses):\s*write\b/m; +// `permissions: write-all` is GitHub Actions' shorthand for granting every +// scope write access. The named-scope pattern above misses it because there +// is no scope name on the left of the colon — just the literal `write-all` +// value at the permissions key. Treat both as equivalent for the purposes +// of the persist-credentials and lifecycle-script gates below. +const WRITE_ALL_PATTERN = /^\s*permissions:\s*write-all\b/m; const NPM_AUDIT_PATTERN = /\bnpm\s+audit\b(?!\s+signatures\b)/; const NPM_AUDIT_SIGNATURES_PATTERN = /\bnpm\s+audit\s+signatures\b/; const ACTIONS_CACHE_PATTERN = /uses:\s*['"]?actions\/cache@/m; @@ -124,7 +130,7 @@ function findViolations(filePath, source) { } } - if (WRITE_PERMISSION_PATTERN.test(source)) { + if (WRITE_PERMISSION_PATTERN.test(source) || WRITE_ALL_PATTERN.test(source)) { for (const step of checkoutSteps) { if (!/persist-credentials:\s*['"]?false['"]?\b/m.test(step.text)) { violations.push({ diff --git a/tests/ci/validate-workflow-security.test.js b/tests/ci/validate-workflow-security.test.js index b32f1176..cacbcc39 100644 --- a/tests/ci/validate-workflow-security.test.js +++ b/tests/ci/validate-workflow-security.test.js @@ -155,6 +155,34 @@ function run() { assert.strictEqual(result.status, 0, result.stderr || result.stdout); })) passed++; else failed++; + // `permissions: write-all` is GitHub Actions' shorthand for granting every + // scope write access. The named-scope pattern only catches `contents: write`, + // `issues: write`, etc., so workflows that opt into write-all were silently + // exempted from the persist-credentials and --ignore-scripts gates. + + if (test('rejects checkout credential persistence in workflows with permissions: write-all', () => { + const result = runValidator({ + 'unsafe-write-all-checkout.yml': `name: Unsafe\non:\n workflow_dispatch:\npermissions: write-all\njobs:\n release:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n - run: npm ci --ignore-scripts\n`, + }); + assert.notStrictEqual(result.status, 0, 'Expected validator to fail on write-all + credential-persisting checkout'); + assert.match(result.stderr, /write permissions must disable checkout credential persistence/); + })) passed++; else failed++; + + if (test('rejects npm ci without ignore-scripts in workflows with permissions: write-all', () => { + const result = runValidator({ + 'unsafe-write-all-install.yml': `name: Unsafe\non:\n workflow_dispatch:\npermissions: write-all\njobs:\n audit:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n persist-credentials: false\n - run: npm ci\n`, + }); + assert.notStrictEqual(result.status, 0, 'Expected validator to fail on write-all + npm ci without --ignore-scripts'); + assert.match(result.stderr, /npm ci must include --ignore-scripts/); + })) passed++; else failed++; + + if (test('allows compliant workflow with permissions: write-all', () => { + const result = runValidator({ + 'safe-write-all.yml': `name: Safe\non:\n workflow_dispatch:\npermissions: write-all\njobs:\n release:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v4\n with:\n persist-credentials: false\n - run: npm ci --ignore-scripts\n`, + }); + assert.strictEqual(result.status, 0, result.stderr || result.stdout); + })) passed++; else failed++; + if (test('rejects actions/cache in workflows with id-token write', () => { const result = runValidator({ 'unsafe-oidc-cache.yml': `name: Unsafe\non:\n push:\npermissions:\n contents: read\n id-token: write\njobs:\n release:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/cache@v5\n with:\n path: ~/.npm\n key: cache\n`,