Reference actions by commit SHA

[gabibguti]

Description

Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.

Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.

Analyzing node.js.yml and codeql-analysis.yml, the workflows use actions such as actions/checkout@v3 and actions/cache@v3. All actions are referenced by tags. To prevent the attacks mentioned above, it would be good to change the tag references to commit SHAs. If you agree, I can open a PR.

Additional Context

Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[mgol]

Thanks for the report!

The suggestions make sense to me. The only problem is maintenance. Currently we know which major versions of the actions we're using, it won't be that clear with hashes - although, we can perhaps encode that info in comments.

We also have a dependabot config that submits PRs with action updates once a month: https://github.com/jquery/jquery/blob/main/.github/dependabot.yml. Is there a way to have that still working or do we have to take on these periodic updates by ourselves?

[gabibguti]

Hi @mgol ! I agree with the maintenance problem. I usually recommend that you keep a comment with the semantic version after the hash, such as actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2. This way the version keeps readable. Also, dependabot is able to update the hash and the comment in GitHub actions, as you can see here, and no changes would be necessary to your dependabot.yml settings file.

[mgol]

That's great to hear! I don't see any blockers to the change then. 🙂