rtk-ai/rtk

Harden release workflow provenance inputs

Open

#1,783 创建于 2026年5月8日

在 GitHub 查看
 (1 评论) (0 反应) (0 负责人)Rust (2,914 fork)batch import
area:ciarea:securityenhancementhelp wantedpriority:medium

仓库指标

Star
 (48,085 star)
PR 合并指标
 (平均合并 11天 1小时) (30 天内合并 45 个 PR)

描述

Summary

The v0.39.0 release path is functional, but several release inputs are still floating:

  • external GitHub Actions are referenced by mutable tags;
  • the Rust toolchain is installed from stable;
  • packaging tools are installed with cargo install without --version/--locked;
  • some runner/container labels are floating (*-latest, fedora:latest).

This is a release hardening and provenance issue, not an accusation of malware. I did not find evidence that the v0.39.0 assets differ from the GitHub Actions run artifacts.

Version / tag / commit

Evidence

Source workflow references at v0.39.0:

  • .github/workflows/release.yml:41, :44, :48, :52, :57 use macos-latest, ubuntu-latest, and windows-latest through the release matrix.
  • .github/workflows/release.yml:62 uses actions/checkout@v4.
  • .github/workflows/release.yml:65 uses dtolnay/rust-toolchain@stable.
  • .github/workflows/release.yml:103, :128, :158 use actions/upload-artifact@v4.
  • .github/workflows/release.yml:119 runs cargo install cargo-deb.
  • .github/workflows/release.yml:136 uses container: fedora:latest.
  • .github/workflows/release.yml:146 runs cargo install cargo-generate-rpm.
  • .github/workflows/release.yml:168 uses actions/create-github-app-token@v3.
  • .github/workflows/release.yml:176 uses actions/checkout@v4.
  • .github/workflows/release.yml:179 uses actions/download-artifact@v4.
  • .github/workflows/release.yml:213 uses softprops/action-gh-release@v2.
  • .github/workflows/cd.yml:107 uses actions/create-github-app-token@v3.
  • .github/workflows/cd.yml:114 uses googleapis/release-please-action@v4.
  • .github/workflows/cd.yml:125 calls the reusable release workflow.
  • .github/workflows/cd.yml:138, :145 use actions/create-github-app-token@v3 and actions/checkout@v4 for the latest tag update.

Run metadata for v0.39.0:

  • GET /repos/rtk-ai/rtk/actions/runs/25445836840 shows repository.full_name=rtk-ai/rtk, head_repository.full_name=rtk-ai/rtk, head_branch=master, head_sha=2fbc7514f6964acabcfac65501b8bb6b525e3aa8, referenced_workflows[0].path=rtk-ai/rtk/.github/workflows/release.yml@2fbc7514f6964acabcfac65501b8bb6b525e3aa8.
  • The release asset uploader is rtk-release-bot[bot], matching the GitHub App token created in the release job.
  • The Windows build job log resolved dtolnay/rust-toolchain@stable to action SHA 29eef336d9b2848a0b548edc03f92a220660cdb8 and Rust 1.95.0 (59807616e 2026-04-14).
  • The release job log resolved softprops/action-gh-release@v2 to SHA 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65.
  • The release-please job log resolved googleapis/release-please-action@v4 to SHA 5c625bfb5d1ff62eadeeb3772007f7f66fdcf071.
  • The DEB job installed cargo-deb v3.7.0.
  • The RPM job installed cargo-generate-rpm v0.21.0; the Fedora container installed Rust/Cargo 1.95.0-1.fc44.
  • checksums.txt has GitHub API digest sha256:772665bb94418715f4761931df79d4b4ca30ab738d0def3213a5c19d4b31648b; the downloaded file hashes to the same value.
  • Every checksum entry in checksums.txt matches the corresponding GitHub Release asset digest.
  • The Windows artifact downloaded from run 25445836840 hashes to aad430c14d82b4470f14bdb9695e8cd97aeac97444bd087bd70be161ced09cb7, matching the published release asset digest. The contained rtk.exe hashes to 731583957e8cea7cfa858fb56835c001b71f75e595710a5441ebaee12fc6c83b without executing it.

Impact

The current release can be traced to a GitHub Actions run, but future releases remain sensitive to mutable external inputs. A tag move in an action, a new stable Rust release, a new crates.io packaging-tool release, or a changed latest runner/container image can alter release outputs without an explicit source diff in this repository.

That weakens reproducibility, incident response, and provenance review for security-sensitive binary releases.

Verification steps

No released binary needs to be executed.

  1. Inspect workflow source at v0.39.0: gh api repos/rtk-ai/rtk/contents/.github/workflows/release.yml?ref=v0.39.0 -H "Accept: application/vnd.github.raw"
  2. Inspect producing run metadata: gh api repos/rtk-ai/rtk/actions/runs/25445836840
  3. Inspect job logs for resolved action SHAs/tool versions: gh run view 25445836840 -R rtk-ai/rtk --job <job-id> --log
  4. Compare release asset digests: gh api repos/rtk-ai/rtk/releases/tags/v0.39.0
  5. Download checksums.txt and compare its SHA256 and entries with the API digest fields.
  6. Optionally download the Windows run artifact and hash the nested ZIP/EXE as files only.

Suggested mitigation

  • Pin third-party and first-party actions by full commit SHA, with comments documenting the human-readable version tag.
  • Replace dtolnay/rust-toolchain@stable with a pinned Rust version, for example via rust-toolchain.toml or explicit action input.
  • Replace unversioned installs with pinned, locked installs, for example cargo install cargo-deb --version 3.7.0 --locked and cargo install cargo-generate-rpm --version 0.21.0 --locked or a prebuilt pinned tool environment.
  • Avoid floating runner/container labels where practical: use explicit runner images such as ubuntu-24.04/windows-2025 and pin container images by digest instead of fedora:latest.
  • Consider publishing provenance/SLSA attestations for release artifacts.

贡献者指南