Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use commit hashes for GH Action versions #13657

Open
2 of 4 tasks
kenodegard opened this issue Mar 5, 2024 · 1 comment
Open
2 of 4 tasks

Use commit hashes for GH Action versions #13657

kenodegard opened this issue Mar 5, 2024 · 1 comment
Labels
backlog issue has been triaged but has not been earmarked for any upcoming release source::anaconda created by members of Anaconda, Inc. type::task indicates a change that doesn't pertain to the code itself, e.g. updating CI/CQ, rebuilding package

Comments

@kenodegard
Copy link
Contributor

Checklist

  • I added a descriptive title
  • I searched open requests and couldn't find a duplicate

What is the idea?

It would be better to use hashes for the 3rd party GHA Actions instead of version tags. Dependabot should be compatible with that (conda-forge/docker-images#256).

See #13162 (review)

Dependabot usually recommends pinning the hash to avoid tag replacement attacks. Dependabot can recognize the hashes as version approach and update them as necessary too, so I'd recommend switching back to hashes in 3rd party (i.e. no actions/*) actions.

See #13162 (comment)

Why is this needed?

Secure ourselves against tag replacement attacks.

What should happen?

  • Modify dependabot config to update commit hashes
  • Switch GH Actions to use commit hashes

Additional Context

No response
@kenodegard kenodegard added source::anaconda created by members of Anaconda, Inc. type::task indicates a change that doesn't pertain to the code itself, e.g. updating CI/CQ, rebuilding package backlog issue has been triaged but has not been earmarked for any upcoming release labels Mar 5, 2024
@kenodegard kenodegard mentioned this issue Mar 5, 2024
Merged
3 tasks
@dbast
Copy link
Member

dbast commented Mar 5, 2024

this requires activating dependabot for the repo... and it will propose updates for all actions in and outside of test.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog issue has been triaged but has not been earmarked for any upcoming release source::anaconda created by members of Anaconda, Inc. type::task indicates a change that doesn't pertain to the code itself, e.g. updating CI/CQ, rebuilding package
Projects
🧭 Planning
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbast @kenodegard