Public Build Security on PRs

tom · December 5, 2018, 7:17pm

Are there plans to offer functionality that allows us to control whether or not builds can be triggered by pull requests that are from “untrusted users?”

Here is our scenario. We are using Buildkite as a replacement for TravisCI/AppVeyor to run pull request verification tests. The test definitions are kept in a YAML file that is dynamically loaded using the buildkite-agent. We’re concerned that a malicious user could open up a pull request and modify the YAML in a malicious manner.

We’re hoping there could be a way we could “quarantine” those builds until the pull request could be reviewed by a trusted user.

moensch · December 7, 2018, 5:02am

There is already an option the pipeline settings to not start builds when the PR comes from a fork:

Build pull requests from third-party forked repositories . Creates builds for pull requests from third-party forks.

You could just leave that disabled, so you wouldn’t automatically kick off builds for third-party changes to your repo.

tom · December 7, 2018, 5:22am

Im aware of that setting, but that doesnt meet my requirments. I need to allow builds to be (or not to be) triggered based on the github user, regardless of whether or not they are on a fork.

justin · January 24, 2019, 4:57am

Hey there @tom!

Unfortunately this functionality isn’t something that buildkite does just yet, though this use-case is certainly on our radar and something that we’re planning on accounting for in future!

As a potential work around for now I’d suggest a hard coded (via the buildkite UI) a step that runs in these public pipelines that can sanity check the origin on the code, and can then prepend a block step before any uploaded dynamic pipeline steps are added (potentially also shooting a notification off to your team to let them know that the pipeline needs review). Does this sound like it’d do the job?

We’re keen to remove this extra legwork in the future once we get a better idea of all the potential use-cases and approaches that people need to support for running their public builds/pipelines.

Cheers,

Justin.

tom · January 24, 2019, 4:32pm

@justin thanks for getting back to me. Your workaround is actually the implementation we came up with, and it opened up a ton of options for other really interesting work. For example, we were able to build our own DSL on top of your Pipeline DSL. So, in terms of priority, my original ask has gone away, but I still think a native way to authorize public users would be a useful product feature.

justin · January 28, 2019, 7:54am

@tom Awesome — that’s great to hear! We’d love to hear the details of your implementation as we’re actively thinking about solving things in this space…a native way of managing this is absolutely on the cards.

tom · October 29, 2019, 1:34pm

Right now, we look to see if the BUILDKITE_CREATOR_TEAMS environment variable is set. Pretty straight forward.

However, if I were to request a potential solution, I would love to see an integration using a GitHub app. We could install the “Buildkite App” into our organization, and then toggle a setting that says “Block builds from non-organization GitHub users” under the GitHub settings of the pipeline (or someplace similar). Should be easy enough to find organization membership given the information provided by the webhook payload.