Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: pin all GH Actions #12619

Merged
merged 2 commits into from
Feb 5, 2024
Merged

ci: pin all GH Actions #12619

merged 2 commits into from
Feb 5, 2024

Conversation

agilgur5
Copy link
Contributor

@agilgur5 agilgur5 commented Feb 4, 2024

Partial fix for #12031, "Pinned Dependencies"

Motivation

  • git tags are mutable, while SHAs are immutable, so SHAs are recommended for better supply chain security
    • Note that dependabot knows how to update both the SHA and the version comment

Modifications

  • add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to lint job to ensure all actions stay pinned

  • Pinned all actions, as listed below, from "most trusted" to "least trusted" (zero trust all though, but potentially relevant for risk assessment purposes):
    • Published by GitHub:

      • pin actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 (c.f. v4.1.1)
      • pin actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 (c.f. v5.0.0)
      • pin actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 (c.f. v4.0.1)
      • pin actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 (c.f. v5.0.0)
      • pin actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 (c.f. v4.0.0)
      • pin actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 (c.f. v3.3.3)
      • pin actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 (c.f. v3.1.3)
      • pin actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 (c.f. v3.0.2)
      • pin actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 (c.f. v9.0.0)
      • pin dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 (c.f. v1.6.0)
    • Published by Docker, Azure/MSFT, then sigstore:

      • pin docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 (c.f. v3.0.0)
      • pin docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 (c.f. v5.1.0)
      • pin docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 (c.f. v3.0.0)
      • pin docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 (c.f. v3.0.0)
      • pin Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1 (c.f. v1.0.1)
      • pin sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 (c.f. v3.4.0)
    • Published by Snyk:

      • pin snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 (c.f. v0.4.0)
      • pin snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 (c.f. v0.4.0)
    • Published by third-party / indie:

      • pin tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2 (c.f. v41.1.2)
      • pin softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 (c.f. v1)
      • pin amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 (c.f. v5.4.0)
      • pin peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 (c.f. v5.0.2)

Verification

CI passes

- `git` tags are mutable, while SHAs are immutable, so SHAs are [recommended](https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#pinned-dependencies) for better supply chain security
  - Note that dependabot [knows how to](https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/) update both the SHA and the version comment

- add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to `lint` job to ensure all actions stay pinned

- All pins listed below:
  - pin `actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1` (c.f. [v4.1.1](https://github.com/actions/checkout/releases/tag/v4.1.1))
  - pin `actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-go/releases/tag/v5.0.0))
  - pin `actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1` (c.f. [v4.0.1](https://github.com/actions/setup-node/releases/tag/v4.0.1))
  - pin `actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-python/releases/tag/v5.0.0))
  - pin `actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0` (c.f. [v4.0.0](https://github.com/actions/setup-java/releases/tag/v4.0.0))
  - pin `actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3` (c.f. [v3.3.3](https://github.com/actions/cache/releases/tag/v3.3.3))
  - pin `actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3` (c.f. [v3.1.3](https://github.com/actions/upload-artifact/releases/tag/v3.1.3))
  - pin `actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2` (c.f. [v3.0.2](https://github.com/actions/download-artifact/releases/tag/v3.0.2))
  - pin `actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0` (c.f. [v9.0.0](https://github.com/actions/stale/releases/tag/v9.0.0))
  - pin `dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0` (c.f. [v1.6.0](https://github.com/dependabot/fetch-metadata/releases/tag/v1.6.0))

  - pin `docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0))
  - pin `docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0` (c.f. [v5.1.0](https://github.com/docker/build-push-action/releases/tag/v5.1.0))
  - pin `docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-qemu-action/releases/tag/v3.0.0))
  - pin `docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/login-action/releases/tag/v3.0.0))
  - pin `Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1` (c.f. [v1.0.1](https://github.com/Azure/docker-login/releases/tag/v1.0.1))
  - pin `sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0` (c.f. [v3.4.0](https://github.com/sigstore/cosign-installer/releases/tag/v3.4.0))

  - pin `snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0))
  - pin `snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0))

  - pin `tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2` (c.f. [v41.1.2](https://github.com/tj-actions/changed-files/releases/tag/v41.1.2))
  - pin `softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1` (c.f. [v1](https://github.com/softprops/action-gh-release/releases/tag/v1))
  - pin `amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0` (c.f. [v5.4.0](https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.4.0))
  - pin `peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2` (c.f. [v5.0.2](https://github.com/peter-evans/create-pull-request/releases/tag/v5.0.2))

Signed-off-by: Anton Gilgur <[email protected]>
@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies github_actions Pull requests that update Github_actions dependencies area/build Build or GithubAction/CI issues labels Feb 4, 2024
Copy link
Member

@isubasinghe isubasinghe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an excellent idea, something we should have had earlier

@agilgur5
Copy link
Contributor Author

agilgur5 commented Feb 5, 2024

Merged main for the E2E fix

@terrytangyuan terrytangyuan merged commit 6ba7401 into argoproj:main Feb 5, 2024
30 checks passed
@agilgur5 agilgur5 deleted the ci-pin-actions branch February 5, 2024 18:36
@agilgur5
Copy link
Contributor Author

This raised our OpenSSF Scorecard score by 6 points in the pinned deps check 🙂

@agilgur5 agilgur5 added this to the v3.5.x patches milestone May 27, 2024
agilgur5 added a commit that referenced this pull request May 27, 2024
Signed-off-by: Anton Gilgur <[email protected]>
(cherry picked from commit 6ba7401)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/build Build or GithubAction/CI issues github_actions Pull requests that update Github_actions dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants