Reference actions by commit SHA #224
Conversation
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/github/codeql-action/releases/tag/v2.3.6 https://github.com/github/codeql-action/commit/83f0fe6c4988d98a455712a27f0255212bba9bd4 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/actions/setup-java/releases/tag/v3.11.0 https://github.com/actions/setup-java/commit/5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 https://github.com/codecov/codecov-action/releases/tag/v3.1.4 codecov/codecov-action@eaaf4be Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/actions/setup-java/releases/tag/v3.11.0 https://github.com/actions/setup-java/commit/5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
|
Hi @gabibguti |
Hm, looks like it does! For example: https://github.com/apache/commons-lang/blame/ebcb39a62fc1e47251eceaf63a4b3d731c5227a0/.github/workflows/maven.yml |
Hi @garydgregory ! Yes, dependabot is able to update both the commit SHA and the comment with the semantic version. |
|
Hi @gabibguti |
Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version. In contrast, actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.
Although there are pros and cons for each reference, GitHub acknowledges that using commit SHAs is more reliable, as does Scorecard security tool.
Currently, in this repository, we use actions such as
actions/checkout@v3.5.2andgithub/codeql-action/init@v2. Most actions are referenced by tags. To prevent the attacks mentioned above, it would be good to change the tag references to commit SHAs as suggested in this PR.Additional Context
Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)