Hash action versions#963
Conversation
|
Dependabot alerts don't work with hashes: https://docs.github.com/en/code-security/concepts/supply-chain-security/about-dependabot-alerts#limitations |
|
What is the reason to do so? If you want to pin explicit version you can do "v6.3.1" - the convention is not to update these |
|
Security, tags are not immutable. It seems the best practice is to pin to a hash: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions but then you don't get dependabot security alerts? 🤔 |
|
Ah I see. Then unfortunately no dependabot here 😝 |
At least the content of the commit doesn't change (until someone finds a way for hash collisions...), while it can change for tags. So this is maybe not really needed for where we put them, but we might as well just go for hashes everywhere as a principle.
Security in depth! |
| - uses: cvmfs-contrib/github-action-cvmfs@v5 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd | ||
| - uses: cvmfs-contrib/github-action-cvmfs@10197e000cc0add8e54ac4fb73d3ed44e2de72b4 | ||
| - uses: key4hep/key4hep-actions/cache-external-data@main |
There was a problem hiding this comment.
Good question (also for other repositories). We currently don't even tag this I think.
Wait, the updates seem to work with hashes no? https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories?utm_source=chatgpt.com#github-actions For example, here in TBB they pin by hash and have comment, and they get an update uxlfoundation/oneTBB#2037 The docs you mentioned were about dependabot alerts which are different thing from dependaboty version updates. (which means that if a vulnerability is detected in the version but we pin it with hash not tag then there won't be an alert) |
IIUC, we could also do this to track which tag we are tracking and dependabot would automatically update the comment as well(?) - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #6.0.2 |
|
That is my understanding as well |
dependabot will also update those and verification will become easier
tmadlener
force-pushed
the
hash-action-versions
branch
from
e7e7dc4 to
2a4d0eb
Compare
|
There is also this in Settings -> Advanced security (disabled by default):
This should be probably updated? But if there are no alerts when using commits does this work? Also alerts is disabled by default |
I checked on some other repo and indeed it seems to work out of the box |
|
Dependabot alerts are enabled for podio. We get some fixes for the |
|
The security ones are disabled: 
but these will not work anyway with hashes (docs say so). |
|
Ah, now I get what you mean. But if we get auto-updates in any case, does it matter too much whether the update has been triggered by a security issue or by something else? edit:
The screenshot you put says that they are enabled and that we could disable them with the button. |
|
I would merge these as is, unless there are more comments. We can decide what to do with our own |
4 participants
BEGINRELEASENOTES
ENDRELEASENOTES
Doing this in favor of just bumping versions as originally proposed by dependabot