Skip to content

Pin actions to a full length commit SHA #1543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2022
Merged

Pin actions to a full length commit SHA #1543

merged 1 commit into from
Apr 8, 2022

Conversation

naveensrinivasan
Copy link
Contributor

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

How do I validate these pinned actions?

Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700

GitHub's own repository pin's their checkout actions by SHA and doesn't use the version tag
https://github.com/github/docs/blob/ea7f218c91ecbae9a700a8702b51a7d2736e0d2c/.github/workflows/docs-review-collect.yml#L23

Signed-off-by: naveensrinivasan [email protected]

@naveensrinivasan
Pin actions to a full length commit SHA
8c74f48 
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

>Pin actions to a full length commit SHA

>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[How do I validate these pinned actions?](https://gist.github.com/naveensrinivasan/ca008c07279176acce28969fb77d056f)

Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700

GitHub's own repository pin's their checkout actions by SHA and doesn't use the version tag
https://github.com/github/docs/blob/ea7f218c91ecbae9a700a8702b51a7d2736e0d2c/.github/workflows/docs-review-collect.yml#L23

Signed-off-by: naveensrinivasan <[email protected]>
diemol
diemol reviewed Apr 7, 2022
View reviewed changes
Copy link
Member

@diemol diemol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mention that

Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700

But how will I know which tag am I using? Seems the comments in those workflows were added manually. Readability is important for us and we check the actions before adding them to our workflows.

@naveensrinivasan
Copy link
Contributor Author

You mention that

Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700

But how will I know which tag am I using? Seems the comments in those workflows were added manually. Readability is important for us and we check the actions before adding them to our workflows.

I understand that is an issue. There isn't a straight way out now TBH. There needs to be some grep and awk of the file to parse the SHA and use something like this to relate the SHA to a tag.
https://gist.github.com/naveensrinivasan/ca008c07279176acce28969fb77d056f

The goal is to avoid something like this https://julienrenaux.fr/2019/12/20/github-actions-security-risk/

diemol
diemol approved these changes Apr 8, 2022
View reviewed changes
Copy link
Member

@diemol diemol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, let's give it a try. If it becomes hard to maintain or dependabot does not help, we will probably revert.

@diemol diemol merged commit 9021038 into SeleniumHQ:trunk Apr 8, 2022
@naveensrinivasan naveensrinivasan deleted the naveen/feat/pin-deps branch April 8, 2022 10:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diemol diemol diemol approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@naveensrinivasan @diemol