| Versioning Policy

Secure Action is GitHub Actions to run any pre-defined tasks securely. It allows you to run any tasks securely without granting strong permissions to GitHub Actions workflows which many people can edit. It elevates the security of your workflows to the next level.

Furthermore, it's easy to use. You don't need to host a server application. It achieves a Client/Server Module using GitHub Actions by unique approach.

We have developed Securefix Action, which is a GitHub Actions to fix code securely. We developed Secure Action to extend Securefix Action for not only fixing code but also running any tasks. The architecture of Secure Action is heavily inspired to Securefix Action. So please check Securefix Action out too.

• 💪 Increase the developer productivity by running tasks in CI
• 🛡 Secure
  • You don't need to pass a GitHub App private key with strong permissions to GitHub Actions workflows on the client side
  • You don't need to allow external services to access your code
  • You can define custom validation before creating a commit
• 😊 Easy to use
  • You don't need to host a server application
• 😉 OSS (MIT License)

We assume two use cases:

1. Run tasks via pull requests from fork repositories securely
2. Run tasks in private repositories for your business securely

--

1. Sometimes you want to run tasks via pull requests from fork repositories:

• Add labels
• Post comments
• Create reviews

These tasks need write permissions, but pull_request workflows don't have these permissions and can't read GitHub Secrets. pull_request_target has write permissions and can read GitHub Secrets, but it's dangerous.

Secure Action can run these tasks securely by workflow_run event.

--

2. In the team development on private repositories, sometimes you want to call API of GitHub and SaaS such as AWS in GitHub Actions. You can grant the permission to GitHub Actions, but it may be abused. For instance, an attacker may be able to create a pull request with malicious commits using GitHub App and approve and merge the pull request.

To solve this problem, Secure Action adopts a Client/Server Model. A client workflow is a workflow which people trigger. The client workflow itself doesn't have strong permissions. It sends requests to server workflows. Server workflows validate requests and run them. By validation, client workflows can run only allowed tasks.

Secure Action builds a Client/Server Model using GitHub Actions. You don't need to host a server application.

Coming soon.

Secure Action adopts a Client/Server Model. It uses following GitHub Apps, repositories, and workflows:

• two GitHub Apps
  • a Server GitHub App: a GitHub App to handle tasks
  • a Client GitHub App: a GitHub App to send requests to a server workflow
    • If you use workflow_run event, this app is unnecessary
• Repositories
  • a Server repository: a repository where a server workflow works
  • Client repositories: repositories where client workflows work
• Workflows
  • a Server Workflow: Receive and handle requests from client workflows
  • a Client Workflow: Send requests to the Server Workflow

• Server: 1 GitHub App, 1 Repository
• Client: 1 GitHub App, N Repositories

1. The client workflow uploads requests to GitHub Actions Artifacts
2. The client workflow creates an issue label to the server repository (The label is deleted immediately)
3. The server workflow is triggered by label:created event
4. The server workflow downloads requests from GitHub Actions Artifacts
5. The server workflow validates requests
6. The server workflow handles requests

You can also use workflow_run event instead of label:created event. workflow_run is useful for pull requests from fork repositories.

Secure Action uses label event to trigger a server workflow. Generally repository_dispatch or workflow_dispatch events are used to trigger workflows by API, but they require the permission contents:write. This permission is too strong. So we looked for better events from all events, and we found label event. Even if the permission is abused, the risk is low.

Coming soon.

Coming soon.

Coming soon.

Coming soon.

Coming soon.

Coming soon.