chore(deps): update dawidd6/action-download-artifact action to v3 [security] - autoclosed

[matticbot]

This PR contains the following updates:

Package	Type	Update	Change
dawidd6/action-download-artifact	action	major	v2 -> v3

GitHub Vulnerability Alerts

GHSA-5xr6-xhww-33m4

Summary

In versions of dawidd6/action-download-artifact before v6, a repository's forks were also searched by default when attempting to find matching artifacts. This could be exploited by an unprivileged attacker to introduce compromised artifacts (such as malicious executables) into a privileged workflow context, as creating a fork requires no privileges.

Users should immediately upgrade to v6 or newer, which changes the default behavior to avoid searching forks for matching artifacts. Users who cannot upgrade should explicitly set allow_forks: false to disable searching forks for artifacts.

Details

GitHub's artifact storage for workflows does not natively distinguish between artifacts created by a repository and artifacts created by forks of that repository. As a result, attempting to retrieve the "latest" artifact for a workflow run can return artifacts produced by a fork, rather than its upstream.

Because any GitHub user can create a fork of a public repository, this allows for artifact poisoning in the following scenarios (as well as potentially others):

1. Repository alice/foo runs build.yml, producing build.exe
2. Repository alice/foo runs publish.yml, which uses action-download-artifact@v5 to retrieve the latest build.exe from build.yml

To compromise publish.yml in this scenario, Mallory forks alice/foo to mallory/foo, and then modifies build.yml to produce a compromised build.exe. Mallory can then repeatedly trigger their copy of build.yml to ensure that their compromised build.exe is always the latest artifact, meaning that Alice's publish.yml will retrieve it.

Additional details on this vulnerability can be found in this blog post from 2022:

• https://www.legitsecurity.com/blog/artifact-poisoning-vulnerability-discovered-in-rust

Impact

This vulnerability impacts all repositories on GitHub that use action-download-artifacts@v5 or older and do not disable allow_forks: true, which is the default.

If a repository is affected, the severity ranges from downstream contamination (such as publishing attacker-controlled artifacts) to direct workflow compromise (if the retrieved artifact is then executed in a privileged workflow context, such as push or pull_request_target).

---

Release Notes

dawidd6/action-download-artifact (dawidd6/action-download-artifact)

v3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Calypso Live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-125602

Jetpack Cloud live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-125602&env=jetpack

Automattic for Agencies live (direct link)

https://calypso.live?image=registry.a8c.com/calypso/app:build-125602&env=a8c-for-agencies

[matticbot]

This PR modifies the release build for the following Calypso Apps:

For info about this notification, see here: PCYsg-OT6-p2

• notifications

To test WordPress.com changes, run install-plugin.sh $pluginSlug renovate/github-tags-dawidd6/action-download-artifact-vulnerability on your sandbox.

[matticbot]

This PR does not affect the size of JS and CSS bundles shipped to the user's browser.

Generated by performance advisor bot at iscalypsofastyet.com.