Harden GitHub workflows by hash-pinning Actions #6814
Labels
Type: Feature
New features or improvements in behavior
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Use case(s) - what problem will this feature solve?
When developing with GitHub workflows, it's common to version-pin dependencies (i.e.
actions/checkout@v4). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.Given the extended permissions given to many workflow jobs (especially
pull-requests: write),Proposed Solution
I suggest all Actions be hash-pinned (i.e.
actions/checkout@1a2b3c... # v4.0.0) to a specific commit instead of major-version-pinned. Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.These hashes can be automatically updated by dependabot. Dependabot can periodically send a single PR to update the hashes for all Actions with new versions (see this example PR).
I'll send a PR pinning the Actions and setting up dependabot along with this issue.
Additional Context
My name is Pedro and I work with Google and the OpenSSF to improve the supply-chain security of the open-source ecosystem.
The text was updated successfully, but these errors were encountered: