You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.
Solution
Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with renovatebot, which three.js already uses. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this PR in my fork for example).
I'll send a PR pinning the workflow Actions and configuring renovatebot to keep them up-to-date along with this issue.
Alternatives
GitHub's dependabot can also keep hashes up-to-date, but three.js already uses renovatebot.
Additional context
I'm Pedro and I'm working to improve the supply-chain security of important projects such as three.js (see #26204).
The text was updated successfully, but these errors were encountered:
Description
When developing with CI workflows, it's common to version-pin dependencies (i.e.
actions/checkout@v3
). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.Solution
Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with renovatebot, which three.js already uses. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this PR in my fork for example).
I'll send a PR pinning the workflow Actions and configuring renovatebot to keep them up-to-date along with this issue.
Alternatives
GitHub's dependabot can also keep hashes up-to-date, but three.js already uses renovatebot.
Additional context
I'm Pedro and I'm working to improve the supply-chain security of important projects such as three.js (see #26204).
The text was updated successfully, but these errors were encountered: