SHA-pin third-party GitHub Actions (#39)#79
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Pins third-party GitHub Actions used by this repository’s workflows and composite actions to full commit SHAs to reduce supply-chain risk from upstream tag retargeting, while keeping GitHub-maintained actions/* on major tags.
Changes:
- Replaced major-tag references with full commit SHAs for
docker/*actions in container build/test workflows. - SHA-pinned
softprops/action-gh-releaseinpublish-gh-pagesandconda-incubator/setup-minicondainsetup-environment. - Documented the security hardening change in
CHANGELOG.md.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
setup-environment/action.yml |
SHA-pins conda-incubator/setup-miniconda for non-container setup. |
publish-gh-pages/action.yml |
SHA-pins softprops/action-gh-release for release asset uploads. |
.github/workflows/test-container.yml |
SHA-pins docker/login-action in container test jobs. |
.github/workflows/build-containers.yml |
SHA-pins docker/* actions used to build and push images. |
CHANGELOG.md |
Records the SHA-pinning security change under Unreleased. |
Pin third-party actions to full commit SHAs (with a `# vN` comment) so a hijacked upstream tag can't inject code into our workflows (cf. the tj-actions/changed-files compromise): - docker/login-action, docker/setup-buildx-action, docker/metadata-action, docker/build-push-action (build-containers.yml, test-container.yml) - softprops/action-gh-release (publish-gh-pages) - conda-incubator/setup-miniconda (setup-environment) First-party actions/* are left on major tags (GitHub-maintained, per GitHub's guidance). Dependabot's github-actions ecosystem keeps the SHA pins current. Note: conda-incubator/setup-miniconda is in setup-environment/action.yml, which open PR #78 (#33) also edits — whichever merges second needs a trivial rebase. Closes #39 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
46da3d6 to
e0e9ae9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #39 (L18). Pins the third-party actions to full commit SHAs so a hijacked upstream tag can't inject code into our workflows (the threat demonstrated by the
tj-actions/changed-filescompromise — repointed tags dumped CI secrets). First-partyactions/*are left on major tags per GitHub's own guidance, and Dependabot keeps the SHA pins current (it bumps the SHA + the# vNcomment).Pinned (with
# vNcomment for readability)docker/login-actionc94ce9f…# v3docker/setup-buildx-action8d2750c…# v3docker/metadata-actionc299e40…# v5docker/build-push-actionca052bb…# v5softprops/action-gh-release3bb1273…# v2conda-incubator/setup-minicondafc2d68f…# v3Each SHA is what the action's current major tag resolves to today.
Left on major tags (intentional)
actions/checkout,actions/cache,actions/upload-artifact,actions/github-script,actions/configure-pages,actions/upload-pages-artifact,actions/deploy-pages— GitHub-maintained; low hijack risk.conda-incubator/setup-minicondais insetup-environment/action.yml, which open PR #78 (#33) also edits. Whichever merges second needs a trivial one-line rebase (re-apply the SHA pin to thatuses:line). Suggest merging #78 first, then I rebase this.🤖 Generated with Claude Code