rtk-ai/rtk

Harden release workflow provenance inputs

Open

#1 783 ouverte le 8 mai 2026

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés)Rust (2 914 forks)batch import
area:ciarea:securityenhancementhelp wantedpriority:medium

Métriques du dépôt

Stars
 (48 085 stars)
Métriques de merge PR
 (Merge moyen 11j 1h) (45 PRs mergées en 30 j)

Description

Summary

The v0.39.0 release path is functional, but several release inputs are still floating:

  • external GitHub Actions are referenced by mutable tags;
  • the Rust toolchain is installed from stable;
  • packaging tools are installed with cargo install without --version/--locked;
  • some runner/container labels are floating (*-latest, fedora:latest).

This is a release hardening and provenance issue, not an accusation of malware. I did not find evidence that the v0.39.0 assets differ from the GitHub Actions run artifacts.

Version / tag / commit

Evidence

Source workflow references at v0.39.0:

  • .github/workflows/release.yml:41, :44, :48, :52, :57 use macos-latest, ubuntu-latest, and windows-latest through the release matrix.
  • .github/workflows/release.yml:62 uses actions/checkout@v4.
  • .github/workflows/release.yml:65 uses dtolnay/rust-toolchain@stable.
  • .github/workflows/release.yml:103, :128, :158 use actions/upload-artifact@v4.
  • .github/workflows/release.yml:119 runs cargo install cargo-deb.
  • .github/workflows/release.yml:136 uses container: fedora:latest.
  • .github/workflows/release.yml:146 runs cargo install cargo-generate-rpm.
  • .github/workflows/release.yml:168 uses actions/create-github-app-token@v3.
  • .github/workflows/release.yml:176 uses actions/checkout@v4.
  • .github/workflows/release.yml:179 uses actions/download-artifact@v4.
  • .github/workflows/release.yml:213 uses softprops/action-gh-release@v2.
  • .github/workflows/cd.yml:107 uses actions/create-github-app-token@v3.
  • .github/workflows/cd.yml:114 uses googleapis/release-please-action@v4.
  • .github/workflows/cd.yml:125 calls the reusable release workflow.
  • .github/workflows/cd.yml:138, :145 use actions/create-github-app-token@v3 and actions/checkout@v4 for the latest tag update.

Run metadata for v0.39.0:

  • GET /repos/rtk-ai/rtk/actions/runs/25445836840 shows repository.full_name=rtk-ai/rtk, head_repository.full_name=rtk-ai/rtk, head_branch=master, head_sha=2fbc7514f6964acabcfac65501b8bb6b525e3aa8, referenced_workflows[0].path=rtk-ai/rtk/.github/workflows/release.yml@2fbc7514f6964acabcfac65501b8bb6b525e3aa8.
  • The release asset uploader is rtk-release-bot[bot], matching the GitHub App token created in the release job.
  • The Windows build job log resolved dtolnay/rust-toolchain@stable to action SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 and Rust 1.95.0 (59807616e 2026-04-14).
  • The release job log resolved softprops/action-gh-release@v2 to SHA 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65.
  • The release-please job log resolved googleapis/release-please-action@v4 to SHA 5c625bfb5d1ff62eadeeb3772007f7f66fdcf071.
  • The DEB job installed cargo-deb v3.7.0.
  • The RPM job installed cargo-generate-rpm v0.21.0; the Fedora container installed Rust/Cargo 1.95.0-1.fc44.
  • checksums.txt has GitHub API digest sha256:772665bb94418715f4761931df79d4b4ca30ab738d0def3213a5c19d4b31648b; the downloaded file hashes to the same value.
  • Every checksum entry in checksums.txt matches the corresponding GitHub Release asset digest.
  • The Windows artifact downloaded from run 25445836840 hashes to aad430c14d82b4470f14bdb9695e8cd97aeac97444bd087bd70be161ced09cb7, matching the published release asset digest. The contained rtk.exe hashes to 731583957e8cea7cfa858fb56835c001b71f75e595710a5441ebaee12fc6c83b without executing it.

Impact

The current release can be traced to a GitHub Actions run, but future releases remain sensitive to mutable external inputs. A tag move in an action, a new stable Rust release, a new crates.io packaging-tool release, or a changed latest runner/container image can alter release outputs without an explicit source diff in this repository.

That weakens reproducibility, incident response, and provenance review for security-sensitive binary releases.

Verification steps

No released binary needs to be executed.

  1. Inspect workflow source at v0.39.0: gh api repos/rtk-ai/rtk/contents/.github/workflows/release.yml?ref=v0.39.0 -H "Accept: application/vnd.github.raw"
  2. Inspect producing run metadata: gh api repos/rtk-ai/rtk/actions/runs/25445836840
  3. Inspect job logs for resolved action SHAs/tool versions: gh run view 25445836840 -R rtk-ai/rtk --job <job-id> --log
  4. Compare release asset digests: gh api repos/rtk-ai/rtk/releases/tags/v0.39.0
  5. Download checksums.txt and compare its SHA256 and entries with the API digest fields.
  6. Optionally download the Windows run artifact and hash the nested ZIP/EXE as files only.

Suggested mitigation

  • Pin third-party and first-party actions by full commit SHA, with comments documenting the human-readable version tag.
  • Replace dtolnay/rust-toolchain@stable with a pinned Rust version, for example via rust-toolchain.toml or explicit action input.
  • Replace unversioned installs with pinned, locked installs, for example cargo install cargo-deb --version 3.7.0 --locked and cargo install cargo-generate-rpm --version 0.21.0 --locked or a prebuilt pinned tool environment.
  • Avoid floating runner/container labels where practical: use explicit runner images such as ubuntu-24.04/windows-2025 and pin container images by digest instead of fedora:latest.
  • Consider publishing provenance/SLSA attestations for release artifacts.

Guide contributeur