Improve security posture by pinning all third-party GitHub actions to specific commit SHA #8

saragerion · 2023-10-05T14:08:28Z

Suggestion/Improvement

This issue proposes to pin the version of all third-party GitHub actions used in this repo leveraging a commit SHA rather than a branch or a tag.

Using a SHA is generally suggested because of various reasons:

It makes the third-party action's code immutable: the source action won't change over time with new releases so the action will always have a predictable behavior. New breaking changes won't impact our workflow.
It helps mitigate the risk of a bad actor adding a backdoor to the third-party action's repository. Pinning to a commit SHA reduces this risk of unintentionally introducing malicious code in the future ( a branch or tag of an action can be compromised, the commit SHA is immutable).

For example in the workflows file(s), this line:

      - uses: actions/checkout@v2

will be changed to this:

      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

Where 8ade135a41bc03ea155e62e844d188df1ea18608 is the full commit SHA of the latest published tag of the actions/checkout repository.

The text was updated successfully, but these errors were encountered:

saragerion added the good first issue Good for newcomers label Oct 5, 2023

saragerion added this to Hacktoberfest Oct 5, 2023

saragerion moved this to Good First Issues in Hacktoberfest Oct 5, 2023

saragerion mentioned this issue Oct 5, 2023

feat: add greetings file shesharpnl/.github#7

Open