You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to bring another security practice that might be relevant for packaging which is to pin github actions by hash. This is currently the only way to use an action as an immutable release, which avoids breaking changes, instant impact from malicious release and prevent from tag renaming attacks.
There are some pros and cons about hash pinning but for now, hash pinning actions and enabling dependabot to get security updates and fixes is considered the safer way to deal with workflow actions.
Of course that, due to #680, almost all workflows (except for codeql) are already safe because they are read only and does not access secrets. Although, it is common to hash pin all the workflows instead of just the ones with write permissions to keep consistency.
I'll be submmiting a PR as reference to show the changes related to this issue but let me know whether you rather not hash pin or hash pin only the privileged workflows.
Besides, regardless of which method will be used to pin actions, enabling dependabot is important to get version updates (even if it is major version updates only) to get vulnerability and bug fixes. Thus, I'll be submiting a different PR for dependabot.
Thanks!
Additional References
A tag renaming attack is a type of attack whereby an attacker:
I'd like to bring another security practice that might be relevant for packaging which is to pin github actions by hash. This is currently the only way to use an action as an immutable release, which avoids breaking changes, instant impact from malicious release and prevent from tag renaming attacks.
There are some pros and cons about hash pinning but for now, hash pinning actions and enabling dependabot to get security updates and fixes is considered the safer way to deal with workflow actions.
Of course that, due to #680, almost all workflows (except for codeql) are already safe because they are read only and does not access secrets. Although, it is common to hash pin all the workflows instead of just the ones with write permissions to keep consistency.
I'll be submmiting a PR as reference to show the changes related to this issue but let me know whether you rather not hash pin or hash pin only the privileged workflows.
Besides, regardless of which method will be used to pin actions, enabling dependabot is important to get version updates (even if it is major version updates only) to get vulnerability and bug fixes. Thus, I'll be submiting a different PR for dependabot.
Thanks!
Additional References
A tag renaming attack is a type of attack whereby an attacker:
See Why you should pin actions by commit hash
The text was updated successfully, but these errors were encountered: