-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: pin all GH Actions #12619
Merged
Merged
ci: pin all GH Actions #12619
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- `git` tags are mutable, while SHAs are immutable, so SHAs are [recommended](https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#pinned-dependencies) for better supply chain security - Note that dependabot [knows how to](https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/) update both the SHA and the version comment - add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to `lint` job to ensure all actions stay pinned - All pins listed below: - pin `actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1` (c.f. [v4.1.1](https://github.com/actions/checkout/releases/tag/v4.1.1)) - pin `actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-go/releases/tag/v5.0.0)) - pin `actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1` (c.f. [v4.0.1](https://github.com/actions/setup-node/releases/tag/v4.0.1)) - pin `actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-python/releases/tag/v5.0.0)) - pin `actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0` (c.f. [v4.0.0](https://github.com/actions/setup-java/releases/tag/v4.0.0)) - pin `actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3` (c.f. [v3.3.3](https://github.com/actions/cache/releases/tag/v3.3.3)) - pin `actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3` (c.f. [v3.1.3](https://github.com/actions/upload-artifact/releases/tag/v3.1.3)) - pin `actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2` (c.f. [v3.0.2](https://github.com/actions/download-artifact/releases/tag/v3.0.2)) - pin `actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0` (c.f. [v9.0.0](https://github.com/actions/stale/releases/tag/v9.0.0)) - pin `dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0` (c.f. [v1.6.0](https://github.com/dependabot/fetch-metadata/releases/tag/v1.6.0)) - pin `docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0)) - pin `docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0` (c.f. [v5.1.0](https://github.com/docker/build-push-action/releases/tag/v5.1.0)) - pin `docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-qemu-action/releases/tag/v3.0.0)) - pin `docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/login-action/releases/tag/v3.0.0)) - pin `Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1` (c.f. [v1.0.1](https://github.com/Azure/docker-login/releases/tag/v1.0.1)) - pin `sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0` (c.f. [v3.4.0](https://github.com/sigstore/cosign-installer/releases/tag/v3.4.0)) - pin `snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0)) - pin `snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0)) - pin `tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2` (c.f. [v41.1.2](https://github.com/tj-actions/changed-files/releases/tag/v41.1.2)) - pin `softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1` (c.f. [v1](https://github.com/softprops/action-gh-release/releases/tag/v1)) - pin `amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0` (c.f. [v5.4.0](https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.4.0)) - pin `peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2` (c.f. [v5.0.2](https://github.com/peter-evans/create-pull-request/releases/tag/v5.0.2)) Signed-off-by: Anton Gilgur <[email protected]>
agilgur5
added
type/security
Security related
type/dependencies
PRs and issues specific to updating dependencies
github_actions
Pull requests that update Github_actions dependencies
area/build
Build or GithubAction/CI issues
labels
Feb 4, 2024
7 tasks
isubasinghe
approved these changes
Feb 5, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an excellent idea, something we should have had earlier
Merged |
terrytangyuan
approved these changes
Feb 5, 2024
This raised our OpenSSF Scorecard score by 6 points in the pinned deps check 🙂 |
agilgur5
added a commit
that referenced
this pull request
May 27, 2024
Signed-off-by: Anton Gilgur <[email protected]> (cherry picked from commit 6ba7401)
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/build
Build or GithubAction/CI issues
github_actions
Pull requests that update Github_actions dependencies
type/dependencies
PRs and issues specific to updating dependencies
type/security
Security related
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Partial fix for #12031, "Pinned Dependencies"
Motivation
git
tags are mutable, while SHAs are immutable, so SHAs are recommended for better supply chain securityModifications
add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to
lint
job to ensure all actions stay pinnedon: pull_request
ossf/scorecard-action#1019 and there isn't a way to use specific checks per Customization of results ossf/scorecard-action#729 (also feat: run scorecard only once ossf/scorecard-action#1071 might hit rate limits)Pinned all actions, as listed below, from "most trusted" to "least trusted" (zero trust all though, but potentially relevant for risk assessment purposes):
Published by GitHub:
actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
(c.f. v4.1.1)actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
(c.f. v5.0.0)actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
(c.f. v4.0.1)actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
(c.f. v5.0.0)actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0
(c.f. v4.0.0)actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
(c.f. v3.3.3)actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
(c.f. v3.1.3)actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
(c.f. v3.0.2)actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
(c.f. v9.0.0)dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
(c.f. v1.6.0)Published by Docker, Azure/MSFT, then sigstore:
docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
(c.f. v3.0.0)docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
(c.f. v5.1.0)docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
(c.f. v3.0.0)docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
(c.f. v3.0.0)Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1
(c.f. v1.0.1)sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
(c.f. v3.4.0)Published by Snyk:
snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
(c.f. v0.4.0)snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0
(c.f. v0.4.0)Published by third-party / indie:
tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
(c.f. v41.1.2)softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
(c.f. v1)amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
(c.f. v5.4.0)peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
(c.f. v5.0.2)Verification
CI passes