Skip to content

Change Nix install action to verified #2212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 18, 2025
Merged

Change Nix install action to verified #2212

merged 1 commit into from
Aug 18, 2025

Conversation

@aidenfoxivey
Copy link
Contributor

I started running poutine on the liboqs repository and found the following results. It looks like the existing nix action I picked was not verified. I have opted to use the Determinate Nix installer instead - which is verified.

~/s/liboqs % poutine analyze_local .
Rule: Github Action from Unverified Creator used
Severity: note
Description: Usage of the following GitHub Actions repositories was detected in workflows
or composite actions, but their owner is not a verified creator.
Documentation: https://boostsecurityio.github.io/poutine/rules/github_action_from_unverified_creator_used

+------------------------------------------+-------------------+-------------------------------------------------------------+
|                REPOSITORY                |      DETAILS      |                             URL                             |
+------------------------------------------+-------------------+-------------------------------------------------------------+
| benchmark-action/github-action-benchmark | Used in 1 repo(s) | https://github.com/benchmark-action/github-action-benchmark |
|                                          |                   |                                                             |
| cachix/install-nix-action                | Used in 1 repo(s) | https://github.com/cachix/install-nix-action                |
|                                          |                   |                                                             |
+------------------------------------------+-------------------+-------------------------------------------------------------+


Summary of findings:
+--------------------------------------------+--------------------------------------------------------+----------+--------+
|                  RULE ID                   |                       RULE NAME                        | FAILURES | STATUS |
+--------------------------------------------+--------------------------------------------------------+----------+--------+
| confused_deputy_auto_merge                 | Confused Deputy Auto-Merge                             |        0 | Passed |
| debug_enabled                              | CI Runner Debug Enabled                                |        0 | Passed |
| default_permissions_on_risky_events        | Default permissions used on risky events               |        0 | Passed |
| github_action_from_unverified_creator_used | Github Action from Unverified Creator used             |        2 | Failed |
| if_always_true                             | If condition always evaluates to true                  |        0 | Passed |
| injection                                  | Injection with Arbitrary External Contributor Input    |        0 | Passed |
| job_all_secrets                            | Workflow job exposes all secrets                       |        0 | Passed |
| known_vulnerability_in_build_component     | Build Component with a Known Vulnerability used        |        0 | Passed |
| known_vulnerability_in_build_platform      | Build Platform with a Known Vulnerability used         |        0 | Passed |
| pr_runs_on_self_hosted                     | Pull Request Runs on Self-Hosted GitHub Actions Runner |        0 | Passed |
| unpinnable_action                          | Unpinnable CI component used                           |        0 | Passed |
| untrusted_checkout_exec                    | Arbitrary Code Execution from Untrusted Code Changes   |        0 | Passed |
| unverified_script_exec                     | Unverified Script Execution                            |        0 | Passed |
+--------------------------------------------+--------------------------------------------------------+----------+--------+

@aidenfoxivey
Copy link
Contributor Author

https://github.com/benchmark-action/github-action-benchmark

@aidenfoxivey aidenfoxivey force-pushed the verified-nix-installation branch from e198586 to 3cdc518 Compare July 23, 2025 19:50
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 23, 2025
View reviewed changes
@coveralls
Copy link

coveralls commented Jul 23, 2025
edited
Loading

Coverage Status

coverage: 82.753%. remained the same
when pulling 6fa237e on aidenfoxivey:verified-nix-installation
into 78e2389 on open-quantum-safe:main.

@aidenfoxivey aidenfoxivey force-pushed the verified-nix-installation branch from 3cdc518 to 6fa237e Compare July 24, 2025 16:13
@aidenfoxivey
Copy link
Contributor Author

It appears that travis CI is just misbehaving: https://app.travis-ci.com/github/open-quantum-safe/liboqs/jobs/634314038

@aidenfoxivey
Copy link
Contributor Author

I believe verified in this context just means that the Github actions workflow is verified here instead of being '3rd party'. I would prefer to replace all the actions with verified ones (as it seems the poutine scanner prefers them), but I have yet to find an appropriate replacement for benchmark-action/github-action-benchmark.

@dstebila dstebila added the needs review Looking for a(nother) review label Aug 7, 2025
praveksharma
praveksharma approved these changes Aug 13, 2025
View reviewed changes
Copy link
Member

@praveksharma praveksharma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @aidenfoxivey!

@dstebila dstebila merged commit ec23683 into open-quantum-safe:main Aug 18, 2025
83 of 84 checks passed
@dstebila dstebila removed the needs review Looking for a(nother) review label Aug 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dstebila dstebila dstebila approved these changes

@praveksharma praveksharma praveksharma approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aidenfoxivey @coveralls @dstebila @praveksharma