Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve security posture by pinning all third-party GitHub actions to specific commit SHA #1

Open
saragerion opened this issue Oct 5, 2023 · 0 comments
Labels
good first issue Good for newcomers

Comments

@saragerion
Copy link
Collaborator

Suggestion/Improvement

Description

This issue proposes to pin the version of all third-party GitHub actions used in this repo leveraging a commit SHA rather than a branch or a tag.

Motivation

Using a SHA is generally suggested because of various reasons:

  • It makes the third-party action's code immutable: the third-party action code won't change over time with new releases so the action will always have a predictable behavior. New breaking changes won't impact our workflow.
  • It helps mitigate the risk of a bad actor adding a backdoor to the third-party action's repository. Pinning to a commit SHA reduces this risk of unintentionally introducing malicious code in the future ( a branch or tag of an action can be compromised, the commit SHA is immutable).

See more info here: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Implementation (if applicable)

For example in the workflows file(s), this line:

      - uses: actions/checkout@v2

will be changed to this:

      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608

Where 8ade135a41bc03ea155e62e844d188df1ea18608 is the full commit SHA of the latest published tag of the actions/checkout repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
Status: Good First Issues - Documentation
Development

No branches or pull requests

1 participant