{"id":26581544,"url":"https://github.com/securefix-action/action","last_synced_at":"2025-03-23T07:20:27.292Z","repository":{"id":282131134,"uuid":"947590271","full_name":"securefix-action/action","owner":"securefix-action","description":"GitHub Action to fix code securely","archived":false,"fork":false,"pushed_at":"2025-03-20T03:37:14.000Z","size":75,"stargazers_count":13,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-03-20T04:29:15.695Z","etag":null,"topics":["cicd","github-actions","oss","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/securefix-action.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["suzuki-shunsuke"]}},"created_at":"2025-03-12T23:47:46.000Z","updated_at":"2025-03-20T03:37:17.000Z","dependencies_parsed_at":"2025-03-20T04:25:33.710Z","dependency_job_id":null,"html_url":"https://github.com/securefix-action/action","commit_stats":null,"previous_names":["securefix-action/action"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securefix-action%2Faction","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securefix-action%2Faction/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securefix-action%2Faction/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/securefix-action%2Faction/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/securefix-action","download_url":"https://codeload.github.com/securefix-action/action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245067623,"owners_count":20555603,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","github-actions","oss","security"],"created_at":"2025-03-23T07:20:26.731Z","updated_at":"2025-03-23T07:20:27.269Z","avatar_url":"https://github.com/securefix-action.png","language":null,"funding_links":["https://github.com/sponsors/suzuki-shunsuke"],"categories":[],"sub_categories":[],"readme":"# Securefix Action\n\n[![License](http://img.shields.io/badge/license-mit-blue.svg?style=flat-square)](https://raw.githubusercontent.com/securefix-action/action/main/LICENSE) | [Versioning Policy](https://github.com/suzuki-shunsuke/versioning-policy/blob/main/POLICY.md)\n\nSecurefix Action is GitHub Actions to fix code securely.\n\n![image](https://github.com/user-attachments/assets/21ec46f9-3c9b-4314-8609-0ef1b8c25791)\n\n![image](https://github.com/user-attachments/assets/5d854cf1-cff1-4af2-ab71-81cba3d8eb1d)\n\nSecurefix Action allows you to fix code securely without sharing a GitHub App private key with strong permissions such as `contents:write` and `actions:write` across GitHub Actions workflows.\nYou don't need to allow external services to access your code.\nIt elevates the security of your workflows to the next level.\n\nFurthermore, it's easy to use.\nYou don't need to host a server application.\nIt achieves a server/client architecture using GitHub Actions by unique approach.\n\n## Features\n\n- 💪 Increase the developer productivity by fixing code in CI\n- 🛡 Secure\n  - You don't need to pass a GitHub App private key with strong permissions to GitHub Actions workflows on the client side\n  - You don't need to allow external services to access your code\n  - You can define custom validation before creating a commit\n  - Commits are verified (signed)\n- 😊 Easy to use\n  - You can create a commit by one action on the client side\n  - You don't need to host a server application\n- 😉 [OSS (MIT License)](LICENSE)\n\n## Overview\n\nSometimes you want to fix code in CI:\n\n- Format code\n- Generate document from code\n- etc\n\nIn case of public repositories, we strongly recommend [autofix.ci](https://autofix.ci).\nautofix.ci allows you to fix code in CI of pull requests including pull requests from fork repositories securely.\nautofix.ci is easy to use, and it's free in public repositories. We love it.\n\nautofix.ci is also available in private repositories, but perhaps it's a bit hard to use it in your private repositories for your business.\n\n- It's not free, so you may have to submit a request to your company\n- You need to allow the external server of autofix.ci to access your code. Perhaps you can't accept it\n- If you don't receive pull requests from fork repositories, the reason to use autofix.ci might not be so string because you can fix code using actions such as [commit-action](https://github.com/suzuki-shunsuke/commit-action)\n\nWe think autofix.ci is valuable in private repositories too, but perhaps you can't use it.\n\nIf you use fix code in CI, you need to use an access token with `contents:write` permission.\nBut if the token is abused, malicious code can be committed.\nFor instance, an attacker can create a malicious commit to a pull request, and he may be able to approve and merge the pull request.\nIt's so dangerous.\n\nTo prevent such a threat, you should protect personal access tokens and GitHub Apps having strong permissions securely.\n\nOne solution is the client/server architecture.\nClients are GitHub Actions workflows that want to fix code.\nThey send a request to the server, then the server fix code.\nYou don't need to pass an access token having strong permissions to clients (GitHub Actions Workflows).\n\nThen how do you build the server?\nFor instance, you would be able to build the server using AWS Lambda, Google Cloud Function, or k8s, and so on.\nBut we don't want to host such a server application.\n\nSo we build a server using GitHub Actions workflow by unique approach.\nYou don't need to host a server application.\n\n## Example\n\n- [demo-server](https://github.com/securefix-action/demo-server): [workflow](https://github.com/securefix-action/demo-server/blob/main/.github/workflows/securefix.yaml)\n- [demo-client](https://github.com/securefix-action/demo-client): [workflow](https://github.com/securefix-action/demo-client/blob/main/.github/workflows/securefix.yaml)\n\n## Architecture\n\nSecurefix Action adopts client/server architecture.\nIt uses following GitHub Apps, repositories, and workflows:\n\n- two GitHub Apps\n  - a Server GitHub App: a GitHub App to create commits\n  - a Client GitHub App: a GitHub App to send requests to a server workflow\n- Repositories\n  - a Server repository: a repository where a server workflow works\n  - Client repositories: repositories where client workflows work\n- Workflows\n  - a Server Workflow: Receive requests from client workflows and create commits\n  - a Client Workflow: Request to fix code to the Server Workflow\n\n![Image](https://github.com/user-attachments/assets/94781831-0aad-4513-ac92-fb5cfa859e19)\n\n- Server: 1 GitHub App, 1 Repository\n- Client: 1 GitHub App, N Repositories\n\n![Image](https://github.com/user-attachments/assets/383de1da-a267-4f96-a86c-9151d66cebc5)\n\n1. The client workflow uploads fixed files and metadata to GitHub Actions Artifacts\n2. The client workflow creates an issue label to the server repository (The label is deleted immediately)\n3. The server workflow is triggered by `label:created` event\n4. The server workflow downloads fixed files and metadata from GitHub Actions Artifacts\n5. The server workflow validates the request\n6. The server workflow pushes a commit to the client repository\n\n### :bulb: Why are labels used?\n\nSecurefix Action uses `label` event to trigger a server workflow.\nGenerally `repository_dispatch` or `workflow_dispatch` events are used to trigger workflows by API, but they require the permission `actions:write`.\nThis permission is too strong.\nSo we looked for better events from [all events](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows), and we found `label` event.\nEven if the permission is abused, the risk is low.\n\n## Getting Started\n\n1. Create two repositories from templates [demo-server](https://github.com/new?template_name=demo-server\u0026template_owner=securefix-action) and [demo-client](https://github.com/new?template_name=demo-client\u0026template_owner=securefix-action)\n1. [Create a GitHub App for server](#github-app-for-server)\n1. [Create a GitHub App for client](#github-app-for-client)\n1. Create GitHub App private keys\n1. [Add GitHub App's id and private keys to GitHub Secrets and Variables](#add-github-apps-id-and-private-keys-to-github-secrets-and-variables)\n1. [Fix the server workflow if necessary](#fix-the-server-workflow-if-necessary)\n1. [Fix the client workflow if necessary](#fix-the-client-workflow-if-necessary)\n1. [Add a new file `bar.yaml` to client' repository and create a pull request](#add-a-new-file-baryaml-to-client-repository-and-create-a-pull-request)\n\n### GitHub App for server\n\nDeactivate Webhook.\n\nPermissions:\n\n- `contents:write`: To create commits\n- `actions:read`: To download GitHub Actions Artifacts to fix code\n- `workflows:write`: Optional. This is required if you want to fix GitHub Actions workflows\n- `pull_requests:write`: To notify problems on the server side to pull requests\n\nInstalled Repositories: Install the app into the server repository and client repositories.\n\n### GitHub App for client\n\nDeactivate Webhook.\n\nPermissions:\n\n- `issues:write`: To create labels\n\nInstalled Repositories: Install the app into the server repository and client repositories.\n\n### Add GitHub App's id and private keys to GitHub Secrets and Variables\n\nAdd GitHub App's private keys and ID to Repository Secrets and Variables\n\n- client\n  - id: client repository's variable `DEMO_CLIENT_APP_ID`\n  - private key: client repository's Repository Secret `DEMO_CLIENT_PRIVATE_KEY`\n- server\n  - id: server repository's variable `DEMO_SERVER_APP_ID`\n  - private key: server repository's Repository Secret `DEMO_SERVER_PRIVATE_KEY`\n\n\u003e [!WARNING]\n\u003e In the getting started, we add private keys to Repository Secrets simply.\n\u003e But when you use Securefix Action actually, you must manage the Server GitHub App's private key and the server workflow securely.\n\u003e Only the server workflow must be able to access the server app's private key.\n\u003e [See also `How to manage a server GitHub App and a server workflow`](#how-to-manage-a-server-github-app-and-a-server-workflow).\n\n### Fix the server workflow if necessary\n\n[Workflow](https://github.com/securefix-action/demo-server/blob/main/.github/workflows/securefix.yaml)\n\nIf you change a variable name and a secret name, please fix the workflow.\n\n### Fix the client workflow if necessary\n\n[Workflow](https://github.com/securefix-action/demo-client/blob/main/.github/workflows/securefix.yaml)\n\n- If you change a variable name and a secret name, please fix the workflow\n- If you change the server repository name, please fix the input `server_repository`\n\n### Add a new file `bar.yaml` to client' repository and create a pull request\n\n1. Add `bar.yaml` to client repository ([Example](https://github.com/securefix-action/demo-client/pull/8/commits/0a0103a3c319f08739632b72aef6b539377da11b))\n\nbar.yaml:\n\n```yaml\nnames:\n- bar\n```\n\n2. Create a pull request ([Example](https://github.com/securefix-action/demo-client/pull/8)):\n\nThen workflows are run and `bar.yaml` is fixed automatically:\n\n![image](https://github.com/user-attachments/assets/808b7348-f1a6-41ff-97fb-c4125f31ed14)\n\n![image](https://github.com/user-attachments/assets/610668c2-a6e9-4c9b-a02a-381f9f1cd56a)\n\n[commit](https://github.com/securefix-action/demo-client/pull/8/commits/e8b1f71602ecacd7948351fd197a55370bdc38dd)\n\n```diff\n--- a/bar.yaml\n+++ b/bar.yaml\n@@ -1,2 +1,2 @@\n names:\n-- bar\n+  - bar\n```\n\n## Actions\n\nSecurefix Action composes of four actions:\n\n- [securefix-action/action](docs/client.md) ([action.yaml](action.yaml)): Client action\n- [securefix-action/action/server/prepare](server/prepare) ([action.yaml](server/prepare/action.yaml)): Server action to prepare for creating commits\n- [securefix-action/action/server/commit](server/commit) ([action.yaml](server/commit/action.yaml)): Server action to create commits\n- [securefix-action/action/server/notify](server/notify) ([action.yaml](server/notify/action.yaml)): Server action to notify the server failure\n\n## Security\n\n\u003e - You don't need to pass a GitHub App private key having strong permissions to GitHub Actions workflows on the client side\n\u003e - You don't need to allow external services to access your code\n\u003e - You can define custom validation before creating a commit\n\u003e - Commits are verified (signed)\n\nClient workflows can use a Client GitHub App, but it has only `issues:write` permission.\nEven if the app is abused, the risk is low.\nServer action creates a commit to the same repository and branch with the GitHub Actions Artifact.\nSo it doesn't allow attackers to create a malicious commit to a different repository or a different branch.\n\n### How to manage a server GitHub App and a server workflow\n\nYou must protect a server GitHub App and a server workflow from attacks securely.\nThere are several ideas:\n\n- GitHub App Private Key:\n  - [Use GitHub Environment Secret](https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment#deployment-protection-rules)\n    - Restrict the branch\n  - Use a secret manager such as AWS Secrets Manager and [restrict the access by OIDC claims (repository, event, branch, workflow, etc)](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect)\n- Server Workflow\n  - Restrict members having the write permission of the server repository\n    - For instance, grant the write permission to only system administrators\n\n### Custom Validation\n\nYou can insert custom validation between `server/prepare` action and `server/commit` action.\nYou can use [`server/prepare` action's outputs](server/prepare#outputs).\n\n```yaml\n- uses: securefix-action/action/server/prepare@c5696e3325f3906c5054ad80f3b9cdd92d65173b # v0.1.0\n  id: prepare\n  with:\n    app_id: ${{ vars.DEMO_SERVER_APP_ID }}\n    app_private_key: ${{ secrets.DEMO_SERVER_PRIVATE_KEY }}\n# Custom Validation\n- if: fromJson(steps.prepare.outputs.pull_request).user.login != 'suzuki-shunsuke'\n  run: |\n    exit 1\n- uses: securefix-action/action/server/commit@c5696e3325f3906c5054ad80f3b9cdd92d65173b # v0.1.0\n  with:\n    outputs: ${{ toJson(steps.prepare.outputs) }}\n- uses: securefix-action/action/server/notify@c5696e3325f3906c5054ad80f3b9cdd92d65173b # v0.1.0\n  failure()\n  with:\n    outputs: ${{ toJson(steps.prepare.outputs) }}\n```\n\n## Troubleshooting\n\n### Client Workflow Name\n\nBy default, the client workflow name must be `securefix` for security.\nOtherwise, the server/prepare action fails.\n[You can change the workflow name or remove the restriction using server/prepare action's `workflow_name` input.](server/prepare#optional-inputs)\n\n### How To Fix Workflow Files\n\nBy default, Serverfix Action doesn't allow you to fix workflow files for security.\nBy default, the server action fails if fixed files include workflow files.\n[You can allow it by setting server/prepare action's `allow_workflow_fix` to `true`.](server/prepare#optional-inputs)\n\n### GitHub API Rate Limiting\n\nIf you use Server Action in many client repositories and face GitHub API limiting, you can avoid the rate limiting by creating new GitHub Apps and a server repository and splitting clients:\n\n![Image](https://github.com/user-attachments/assets/34551fb7-6471-4bf2-bea1-c6056c005330)\n\nReference:\n\n- [Rate Limit of REST API](https://docs.github.com/en/enterprise-cloud@latest/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28)\n- [Rate Limit of GraphQL API](https://docs.github.com/en/enterprise-cloud@latest/graphql/overview/rate-limits-and-node-limits-for-the-graphql-api)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecurefix-action%2Faction","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsecurefix-action%2Faction","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsecurefix-action%2Faction/lists"}