New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reference actions by commit SHA #5266
Comments
Thanks for the report! The suggestions make sense to me. The only problem is maintenance. Currently we know which major versions of the actions we're using, it won't be that clear with hashes - although, we can perhaps encode that info in comments. We also have a dependabot config that submits PRs with action updates once a month: https://github.com/jquery/jquery/blob/main/.github/dependabot.yml. Is there a way to have that still working or do we have to take on these periodic updates by ourselves? |
Hi @mgol ! I agree with the maintenance problem. I usually recommend that you keep a comment with the semantic version after the hash, such as |
That's great to hear! I don't see any blockers to the change then. 🙂 |
The SHAs are verified to come from the original repositories and not forks. For reference: https://github.com/github/codeql-action/releases/tag/v2.3.6 github/codeql-action@83f0fe6 https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/setup-node/releases/tag/v3.6.0 actions/setup-node@64ed1c7 Fixes gh-5266 Closes gh-5269 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com>
The SHAs are verified to come from the original repositories and not forks. For reference: https://github.com/actions/checkout/releases/tag/v3.5.2 actions/checkout@8e5e7e5 https://github.com/actions/cache/releases/tag/v3.3.1 actions/cache@88522ab https://github.com/actions/setup-node/releases/tag/v3.6.0 actions/setup-node@64ed1c7 Fixes gh-5266 Closes gh-5269 Signed-off-by: Gabriela Gutierrez <gabigutierrez@google.com> (cherry picked from commit 784b9ba)
Description
Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit, a malicious commit being pushed to the branch or typosquatting.
Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.
Analyzing
node.js.yml
andcodeql-analysis.yml
, the workflows use actions such asactions/checkout@v3
andactions/cache@v3
. All actions are referenced by tags. To prevent the attacks mentioned above, it would be good to change the tag references to commit SHAs. If you agree, I can open a PR.Additional Context
Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)
The text was updated successfully, but these errors were encountered: