bitwarden_workflow_linter 0.5.6__py3-none-any.whl → 0.5.7__py3-none-any.whl

bitwarden_workflow_linter/__about__.py

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "0.5.6"
+__version__ = "0.5.7"

bitwarden_workflow_linter/default_settings.yaml

@@ -7,5 +7,6 @@ enabled_rules:
   - bitwarden_workflow_linter.rules.step_pinned.RuleStepUsesPinned
   - bitwarden_workflow_linter.rules.underscore_outputs.RuleUnderscoreOutputs
   - bitwarden_workflow_linter.rules.run_actionlint.RunActionlint
+  - bitwarden_workflow_linter.rules.check_pr_target.RuleCheckPrTarget
 
 approved_actions_path: default_actions.json

bitwarden_workflow_linter/models/job.py

@@ -23,6 +23,7 @@ class Job:
     key: Optional[str] = None
     name: Optional[str] = None
     env: Optional[CommentedMap] = None
+    needs: Optional[List[str]] = None
     steps: Optional[List[Step]] = None
     uses: Optional[str] = None
     uses_path: Optional[str] = None
@@ -32,6 +33,13 @@ class Job:
     )
     outputs: Optional[CommentedMap] = None
 
+    @classmethod
+    def parse_needs(cls: Self, value):
+        """Parser to make all needs values lists that can be searched by linter."""
+        if isinstance(value, str):
+            return [value]
+        return value
+
     @classmethod
     def init(cls: Self, key: str, data: CommentedMap) -> Self:
         """Custom dataclass constructor to map job data to a Job."""
@@ -40,6 +48,7 @@ class Job:
             "name": data["name"] if "name" in data else None,
             "runs-on": data["runs-on"] if "runs-on" in data else None,
             "env": data["env"] if "env" in data else None,
+            "needs": Job.parse_needs(data["needs"]) if "needs" in data else None,
             "outputs": data["outputs"] if "outputs" in data else None,
         }
 

bitwarden_workflow_linter/rules/check_pr_target.py

@@ -0,0 +1,81 @@
+"""A Rule to enforce check-run is run when workflow uses pull_request_target."""
+
+from typing import Optional, Tuple
+
+from ..models.workflow import Workflow
+from ..rule import Rule
+from ..utils import LintLevels, Settings
+
+
+class RuleCheckPrTarget(Rule):
+    def __init__(self, settings: Optional[Settings] = None) -> None:
+        """
+        To ensure pull_request_target is safe to use, the check-run step is added 
+        to all jobs as a dependency.
+
+        Once a branch is pushed to Github, it already opens up a vulnerability 
+        even if the check-run scan fails to detect this. 
+        
+        In order to prevent a vulnerable branch from being used for an attack 
+        prior to being caught through vetting, all pull_request_target workflows 
+        should only be run by users with appropriate permissions.  
+
+        This greatly reduces the risk as community contributors can't use a fork to run a compromised workflow that uses pull_request_target.
+        """
+        self.message = "A check-run job must be included as a direct job dependency when pull_request_target is used and the workflow may only apply to runs on the main branch"
+        self.on_fail = LintLevels.WARNING
+        self.compatibility = [Workflow]
+        self.settings = settings
+    
+    def targets_main_branch(self, obj:Workflow) -> bool:
+        if obj.on["pull_request_target"].get("branches"):
+            branches_list = obj.on["pull_request_target"].get("branches")
+            if isinstance(branches_list, str):
+                branches_list = [branches_list]
+            if any(branch != 'main' for branch in branches_list):
+                return False
+        else:
+            return False
+        return True
+
+    def has_check_run(self, obj: Workflow) -> Tuple[bool, str]:
+        for name, job in obj.jobs.items():
+            if job.uses == "bitwarden/gh-actions/.github/workflows/check-run.yml@main":
+                return True, name
+        return False, ""
+    
+    def check_run_required(self, obj:Workflow, check_job:str) -> list:
+        missing_jobs = []
+        for job in list(obj.jobs.keys()):
+            if job is not check_job:
+                job_list = obj.jobs[job].needs
+                if job_list:
+                    if check_job not in job_list:
+                        missing_jobs.append(job)
+                else:
+                    missing_jobs.append(job)
+        return missing_jobs
+
+    def fn(self, obj: Workflow) -> Tuple[bool, str]:
+        Errors = []
+        if obj.on.get("pull_request_target"):
+            result, check_job = self.has_check_run(obj)
+            main_branch_only = self.targets_main_branch(obj)
+            if not main_branch_only:
+                Errors.append("Workflows using pull_request_target can only target the main branch")
+            if result:
+                missing_jobs = self.check_run_required(obj, check_job)
+                if missing_jobs:
+                    job_list = ', '.join(missing_jobs)
+                    message = f"Check-run is missing from the following jobs in the workflow: {job_list}"
+                    Errors.append(message)
+            else:
+                message = f"A check-run job must be included as a direct job dependency when pull_request_target is used"
+                Errors.append(message)
+            if Errors:
+                self.message = "\n".join(Errors)
+                return False, f"{self.message}"
+            else:
+                return True, ""
+        else:
+            return True, ""

{bitwarden_workflow_linter-0.5.6.dist-info → bitwarden_workflow_linter-0.5.7.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 0.5.6
+Version: 0.5.7
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues

{bitwarden_workflow_linter-0.5.6.dist-info → bitwarden_workflow_linter-0.5.7.dist-info}/RECORD

@@ -1,18 +1,19 @@
-bitwarden_workflow_linter/__about__.py,sha256=yMKKZhZd98JL3DnAj0EuLwP2lI9B4ay-CHK8LiRA-_k,59
+bitwarden_workflow_linter/__about__.py,sha256=UUJxPIlJEXBTr87K95rAO3yy6PUDPLgqBoI5F9FVF6s,59
 bitwarden_workflow_linter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 bitwarden_workflow_linter/actions.py,sha256=LAn3yQeMMmCOvJWeTn3dE1U2nyEJqIBMwESq3TtY9hE,9069
 bitwarden_workflow_linter/cli.py,sha256=wgkK1MlVbo6Zx3f2CZZ_tkSWq_hdsGciHJA1knX6Yuw,1699
 bitwarden_workflow_linter/default_actions.json,sha256=6-h_0i7sNJPQMC5AzFtQxrlCJZcXECSBlBAKPrGTJfs,12770
-bitwarden_workflow_linter/default_settings.yaml,sha256=0sD7oU3UkTU7_63NqNCSIjQppt9kQXOQNsA11fkl8Xs,643
+bitwarden_workflow_linter/default_settings.yaml,sha256=-kMS3HpE6-h7IIx7izq1I4LA6D73L-MMA3ozgGDpsjQ,713
 bitwarden_workflow_linter/lint.py,sha256=RDHv5jGeGCf5XIHE8jyqQET3-cFykl7223SQVS4Q3pg,5525
 bitwarden_workflow_linter/load.py,sha256=XXbja-sVUtXaJjqF9sTP2xzFto3CXcCuEBNFp3Yo4VM,5078
 bitwarden_workflow_linter/rule.py,sha256=Qb60JiUDAWN3ayrMGoSbbDCSFmw-ql8djzAkxISaob4,3250
 bitwarden_workflow_linter/utils.py,sha256=9WO3T9w9vKAow_xR6JDz2MvdMXKExV18AzucF0vh67s,4695
 bitwarden_workflow_linter/models/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-bitwarden_workflow_linter/models/job.py,sha256=nBK7_VYu6RRST7WLtdLsoRErl5j4Er8W9hCw9XlSECk,2043
+bitwarden_workflow_linter/models/job.py,sha256=d4F0QG35DqaqgfbPa2YDRRxOZZakFDktIOsuUa-BbC8,2387
 bitwarden_workflow_linter/models/step.py,sha256=j81iWYWcNI9x55n1MOR0N6ogKaQ_4-CKu9LnI_fwEOE,1814
 bitwarden_workflow_linter/models/workflow.py,sha256=Jr1CJSCpII9Z4RT6Sh1wjzZU6ov3fZt45BmTrfLNLLE,1479
 bitwarden_workflow_linter/rules/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+bitwarden_workflow_linter/rules/check_pr_target.py,sha256=BPpd30ZQHQEqcvYY63zjd-v2rNngEMIqWghPWhU7WoE,3526
 bitwarden_workflow_linter/rules/job_environment_prefix.py,sha256=sY1cBU5AeBHWSyun7gwnoS0ycRyBMjjVo_2lvanBj7U,2612
 bitwarden_workflow_linter/rules/name_capitalized.py,sha256=quuqXM_qg93UE8mQo1YQp8cQ_Fx6c2u03_19s_c0ntw,1981
 bitwarden_workflow_linter/rules/name_exists.py,sha256=MxcaNQz64JXeHRPiOip9BxJNgPdpKQa7Z51mDoNw2hU,1681
@@ -21,8 +22,8 @@ bitwarden_workflow_linter/rules/run_actionlint.py,sha256=qzfrBUcvNMkeBKGMKkIyqRa
 bitwarden_workflow_linter/rules/step_approved.py,sha256=6XuYoasw2ME8vQu5G0ZygUSi7X5amLLWeXH81cqvKv8,3159
 bitwarden_workflow_linter/rules/step_pinned.py,sha256=fyqBjarR0UNQ6tU_ja0ZOi2afP942BMqOz5nU_yKzmw,3413
 bitwarden_workflow_linter/rules/underscore_outputs.py,sha256=w8pP1dTJEC9I2X5fQIAHDAEiaNP1xMhb4kPiF-dn8U0,4131
-bitwarden_workflow_linter-0.5.6.dist-info/METADATA,sha256=01WP8Mce9hy1t9uuoG6RpOTgi0RJtFsxTEPxCMN9Sug,6164
-bitwarden_workflow_linter-0.5.6.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-bitwarden_workflow_linter-0.5.6.dist-info/entry_points.txt,sha256=SA_yF9CwL4VMUvdcmCd7k9rjsQNzfeOUBuDnMnaO8QQ,60
-bitwarden_workflow_linter-0.5.6.dist-info/licenses/LICENSE.txt,sha256=uY-7N9tbI7xc_c0WeTIGpacSCnsB91N05eCIg3bkaRw,35140
-bitwarden_workflow_linter-0.5.6.dist-info/RECORD,,
+bitwarden_workflow_linter-0.5.7.dist-info/METADATA,sha256=j9lNs6EV6TE8oHpf6tNzoeOfwnBkEdSBkiTkFdOs_78,6164
+bitwarden_workflow_linter-0.5.7.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+bitwarden_workflow_linter-0.5.7.dist-info/entry_points.txt,sha256=SA_yF9CwL4VMUvdcmCd7k9rjsQNzfeOUBuDnMnaO8QQ,60
+bitwarden_workflow_linter-0.5.7.dist-info/licenses/LICENSE.txt,sha256=uY-7N9tbI7xc_c0WeTIGpacSCnsB91N05eCIg3bkaRw,35140
+bitwarden_workflow_linter-0.5.7.dist-info/RECORD,,