Hello, there!

As part of the university research we are currently doing regarding the security of Github Actions, we noticed that one or many of the workflows that are part of this repository are referencing vulnerable versions of the third-party actions. As part of a disclosure process, we decided to open issues to notify GitHub Community.

Please note that there are could be some false positives in our methodology, thus not all of the open issues could be valid. If that is the case, please let us know, so that we can improve on our approach. You can contact me directly using an email: ikoishy [at] ncsu.edu

Thanks in advance

1. The workflow build-runners.yml is referencing action gittools/actions/gitversion/setup using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
2. The workflow build-runners.yml is referencing action gittools/actions/gitversion/execute using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.

The vulnerability fix that is missing by actions' versions could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider updating the reference to the action.

If you end up updating the reference, please let us know. We need the stats for the paper :-)

• ProviderProjectCreateCommand
• ProviderProjectDeleteCommand
• ProviderProjectUpdateCommand
• ProviderRegisterCommand

Currently, in the provider ARM templates the KeyVaultName is generated using:
"keyVaultName": "[concat('kv', uniqueString(resourceGroup().id))]",. When a resource group containing a KeyVault is deleted, the KeyVault is "soft deleted". Because we default the Resource Group name to the Provider name (i.e. TeamCloud.Providers.GitHub), when you delete the resource group, then try to redeploy the provider, it errors out in conflict because the KeyVault already exist (just soft deleted). So... we need to add more "uniqueness" to the KeyVault name.

Pending success of issue #30

• ProviderProjectCreateCommand
• ProviderProjectDeleteCommand
• ProviderProjectUpdateCommand
• ProviderRegisterCommand

• Configure the TeamCloud.Providers.Core project to create .nupkg and .symbols.nupkg files on build (I tried briefly to get this to work, but moved on)
• Uncomment code in pre_release.yml workflow file to publish packages to MyGet (dev) feeds and release assets
• Uncomment code in ci_package.yml workflow file to publish packages to MyGet (dev) feeds
• Uncomment code in promote_release.yml workflow file to pull packages from release assets and publish packages in MyGet (and later NuGet) feeds

• Package and deploy TeamCloud.Providers.Core
• Build and test Azure Providers
• Create publish zips for releases
• Split ci builds and release build

• Project
• Team
• Repository

• ProviderProjectCreateCommand
• ProviderProjectDeleteCommand
• ProviderProjectUpdateCommand
• ProviderRegisterCommand

The change from Guid Ids to String Ids broke some role assignment code in
TeamCloud.Providers.Core.TeamCloudProvidersCoreExtensions and TeamCloud.Azure.Resources, and possibly other places too.

Attempting to zip deploy (via CLI) Azure.AppInsights provider to Azure succeeds, however the function runtime fails to start the functions because the function is looking for a connection string to a configuration service (likely in Startup.cs somewhere?).

Describe the bug
Permissions granted to the labs managed identity are removed during sync, as the responsible activity doesn't respect the managed identity as user.

To Reproduce
n.a.

Expected behavior
The labs managed identity keeps its role assignment during user sync.

Additional context
Add any other context about the problem here.

Describe the bug
The azure.devops provider can't be registered when the provider is returning an identity.

To Reproduce
Use the usual register provider workflow

Expected behavior
Provider is registered and the returned result contains the provider identity

Additional context
n/a

Describe the bug
ProjectUsersActivity failed: Project user role 'None' is not supported.

To Reproduce
Create a new project and check the provider trace

Expected behavior
Project user role 'None' is skipped during the user sync.

Additional context
n/a

Describe the bug
DTL changed the way to assign a MSI for environment deployments.

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"BadRequest","message":"{\r\n \"error\": {\r\n \"code\": \"ServiceRunnerIsDeprecatedEnvironment\",\r\n \"message\": \"Service runner with IdentityUsageType of 'Environment' is deprecated. Use lab.Identity.UserAssignedIdentities instead.\"\r\n }\r\n}"}]}

To Reproduce
Steps to reproduce the behavior: Run a project deployment with DTL provider involved

Expected behavior
No error

Additional context
Add any other context about the problem here.

• ProviderProjectCreateCommand
• ProviderProjectDeleteCommand
• ProviderProjectUpdateCommand
• ProviderRegisterCommand

• ProviderProjectUserCreateCommand
• ProviderProjectUserDeleteCommand
• ProviderProjectUserUpdateCommand
• ProviderTeamCloudUserCreateCommand
• ProviderTeamCloudUserDeleteCommand
• ProviderTeamCloudUserUpdateCommand

Use the DevTest Lab provider as a sample, as this provider will need this feature fist.