You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can help mitigate this risk by following these good practices:
Pin actions to a full length commit SHA
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
I tried doing so with uses: int128/hide-comment-action@9526e5fa1c7a9dee4c37bf7b2319d65b3e04e4d1 but encountered an error:
Error: File not found: '/opt/actions-runner/_work/_actions/int128/hide-comment-action/9526e5fa1c7a9dee4c37bf7b2319d65b3e04e4d1/dist/index.js'
Digging in a bit, I see dist/ doesn't exist on checkout and is instead built as part of a release, which is counter to how other actions like actions/checkout are provided.
Please consider having an always-present dist/ so we can pin to specific SHAs (or make a conscious decision otherwise) . Thanks!
The text was updated successfully, but these errors were encountered:
GitHub's Security hardening for [third-party] GitHub Actions recommends pinning third-party actions to a specific full length SHA:
I tried doing so with
uses: int128/hide-comment-action@9526e5fa1c7a9dee4c37bf7b2319d65b3e04e4d1but encountered an error:Digging in a bit, I see
dist/doesn't exist on checkout and is instead built as part of a release, which is counter to how other actions like actions/checkout are provided.Please consider having an always-present
dist/so we can pin to specific SHAs (or make a conscious decision otherwise) . Thanks!The text was updated successfully, but these errors were encountered: