"Test reverse dependencies" should use an explicit list of packages

The "test dependants" script (linked below) that compiles all reverse dependencies seems dangerous in this era of supply chain attacks. If you use this script, a malicious actor can get arbitrary code running on your CI by simply adding a package that depends on yours on the Rocq opam repository (Rocq opam maintainers can't feasibly review every single line of code of packages that are submitted there). This doesn't give access to a lot if you use the template as-is but it's not difficult to imagine a scenario where an innocent user modifies their CI workflow to access some secrets and bam that's a leak waiting to happen.

https://github.com/rocq-community/templates/blob/4911ad018a04328c500d2d2611966ac05f27285e/docker-action.yml.mustache#L50-L61

The fix is to require an explicit list of packages to test so it's up to each user of this template to vet the packages they add there.

	<%# ci_test_dependants %>
	after_script: \|
	startGroup "Test dependants"
	PINS=$(opam list -s --pinned --columns=package \| xargs \| tr ' ' ,)
	PACKAGES=`opam list -s --depends-on <% opam_name %><%^ opam_name %>coq-<% shortname %><%/ opam_name %> --coinstallable-with $PINS`
	for PACKAGE in $PACKAGES
	do DEPS_FAILED=false
	opam install -y --deps-only $PACKAGE \|\| DEPS_FAILED=true
	[ $DEPS_FAILED == true ] \|\| opam install -t $PACKAGE
	done
	endGroup
	<%/ ci_test_dependants %>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

"Test reverse dependencies" should use an explicit list of packages #138

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

"Test reverse dependencies" should use an explicit list of packages #138

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions