Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Third-party GH workflow actions are not pinned by full commit SHA #6704

Closed
rdimaio opened this issue Apr 19, 2024 · 0 comments · Fixed by #6706
Closed

Security: Third-party GH workflow actions are not pinned by full commit SHA #6704

rdimaio opened this issue Apr 19, 2024 · 0 comments · Fixed by #6706
Assignees
@rdimaio
Labels
Core & Internals Security
Milestone
34.3.0

Comments

@rdimaio
Copy link
Contributor

rdimaio commented Apr 19, 2024
edited

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions:

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
@rdimaio rdimaio self-assigned this Apr 19, 2024
@rdimaio rdimaio changed the title Security: Third-party actions are not pinned by full commit SHA Security: Third-party workfloe actions are not pinned by full commit SHA Apr 19, 2024
@rdimaio rdimaio changed the title Security: Third-party workfloe actions are not pinned by full commit SHA Security: Third-party GH workflow actions are not pinned by full commit SHA Apr 19, 2024
rdimaio added a commit to rdimaio/rucio that referenced this issue Apr 19, 2024
@rdimaio
Security: Pin third-party GH Actions to full commit SHAs; rucio#6704
fb87306
@rdimaio rdimaio mentioned this issue Apr 19, 2024
Merged
bari12 pushed a commit that referenced this issue Apr 19, 2024
@rdimaio @bari12
Security: Pin third-party GH Actions to full commit SHAs; #6704
f206d55
bari12 pushed a commit that referenced this issue Apr 19, 2024
@rdimaio @bari12
Security: Pin third-party GH Actions to full commit SHAs; #6704
202d7ea
@bari12 bari12 added this to the 34.2.1 / 34.3.0 milestone Apr 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rdimaio rdimaio

Labels
Core & Internals Security
Projects
None yet
Milestone
34.3.0
Development

Successfully merging a pull request may close this issue.

Security: Pin third-party GH Actions to full commit SHAs rdimaio/rucio
2 participants
@bari12 @rdimaio