Hash pin github workflow dependencies #1294
Description
Is your feature request related to a problem? Please describe.
Actions that are referenced by tags and branches are vulnerable to attacks, such as the tag being moved to a malicious commit (tag-renaming attacks), a malicious commit being pushed to the branch or typosquatting.
Describe the solution you'd like
Referencing actions by commit SHA in GitHub workflows, guarantees you are using an immutable version.
Although there are pros and cons for each reference, GitHub understands SHAs are more reliable, as does Scorecard security tool.
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
If you agree, I can open a PR to change the references (which is basically actions/checkout and actions/setup-go) to commit SHA. I can also suggest a configuration to either dependabot or renovatebot, just let me know.
Additional context
A tag renaming attack is a type of attack whereby an attacker:
- Hijack an action.
- Upload a malicious version.
- Replace existing tags with malicious versions.
A typosquatting attack is a type of attack whereby an attacker:
- Create a malicious package
- Publish it with a similar name of a known package (example: numpi instead of numpy)
For more informations about the dependency-update tools:
About me, I'm Joyce and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)