Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin actions to a full length commit SHA #11618

Merged
merged 2 commits into from
Apr 4, 2022
Merged

Pin actions to a full length commit SHA #11618

merged 2 commits into from
Apr 4, 2022

Conversation

naveensrinivasan
Copy link
Contributor

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

How do I validate these pinned actions?

Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700

Signed-off-by: naveensrinivasan 172697+naveensrinivasan@users.noreply.github.com

Thanks for submitting a pull request! Please provide enough information so that others can review your pull request. The two fields below are mandatory.

If you're making a change to documentation, do not modify a .html file directly. Instead find the corresponding .pug file or test case in the test/docs directory.

Summary

Examples

@naveensrinivasan
Pin actions to a full length commit SHA
75b598b 
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

>Pin actions to a full length commit SHA

>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[How do I validate these pinned actions?](https://gist.github.com/naveensrinivasan/ca008c07279176acce28969fb77d056f)

Also, dependabot supports upgrading based on SHA. ossf/scorecard#1700

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
AbdelrahmanHafez
AbdelrahmanHafez approved these changes Apr 3, 2022
View reviewed changes
Copy link
Collaborator

@AbdelrahmanHafez AbdelrahmanHafez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks 👍

vkarpov15
vkarpov15 approved these changes Apr 4, 2022
View reviewed changes
Copy link
Collaborator

@vkarpov15 vkarpov15 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍 I updated the comments because the sha hash for setup-node is technically for the v3.1.0 tag, not v3. Otherwise no concerns, thanks for your contribution!

@vkarpov15 vkarpov15 added this to the 6.2.10 milestone Apr 4, 2022
@vkarpov15 vkarpov15 merged commit d0f35a3 into Automattic:master Apr 4, 2022
vkarpov15 added a commit that referenced this pull request Apr 4, 2022
@vkarpov15
chore: update tags re: #11618
c106eda
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vkarpov15 vkarpov15 vkarpov15 approved these changes

@AbdelrahmanHafez AbdelrahmanHafez AbdelrahmanHafez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
6.2.10
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@naveensrinivasan @vkarpov15 @AbdelrahmanHafez