Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash-pin workflow Actions #26337

Closed
pnacht opened this issue Jun 27, 2023 · 0 comments · Fixed by #26338
Closed

Hash-pin workflow Actions #26337

pnacht opened this issue Jun 27, 2023 · 0 comments · Fixed by #26338
Labels
Suggestion

Comments

@pnacht
Copy link
Contributor

pnacht commented Jun 27, 2023

Description

When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Solution

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

These dependencies can be kept up-to-date with renovatebot, which three.js already uses. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this PR in my fork for example).

I'll send a PR pinning the workflow Actions and configuring renovatebot to keep them up-to-date along with this issue.

Alternatives

GitHub's dependabot can also keep hashes up-to-date, but three.js already uses renovatebot.

Additional context

I'm Pedro and I'm working to improve the supply-chain security of important projects such as three.js (see #26204).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Suggestion
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Hash-pin workflow dependencies pnacht/three.js
2 participants
@Mugen87 @pnacht