Pin GitHub Actions to Git commit hash #27

achrinza · 2022-05-14T09:50:16Z

Currently, we're inconsistently referencing third-party GitHub Actions by Git tags, Git branches and the Git commit hash.

Git tags and Git branches can be re-pointed to a different Git commit hash without our explicit knowledge. Hence, this poses a security risk as a malicious GitHub Action that we depend on can go under the radar without our knowledge.

We should standardise on referencing by Git commit hash.

Renovate currently handles keeping the GitHub Actions up-to-date. It supports updating Git commit hash while following the Git tags:

The syntax would be either of the following:

- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # renovate: tag=v2.4.0

- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0

- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0

Loosely-related to #25 (Part of OpenSSF Scorecard check).

GitHub repositories

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

- Prepare Renovate config for v6.x branch - Tidy pipeline code - Drop uneeded test matrix (semver-major release) - Pin GitHub Actions action to Git commit hash see: loopbackio/security#27 see: #720 Signed-off-by: Rifa Achrinza <[email protected]>

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

see: loopbackio/cicd#91 see: loopbackio/cicd#90 see: loopbackio/cicd#89 see: loopbackio/cicd#83 see: loopbackio/security#27 see: loopbackio/security#26 see: loopbackio/security#23 see: loopbackio/security#16 Signed-off-by: Rifa Achrinza <[email protected]>

see: https://github.com/loopbackio/strong-error-handler/security/code-scanning/7 see: https://github.com/loopbackio/strong-error-handler/security/code-scanning/6 see: https://github.com/loopbackio/strong-error-handler/security/code-scanning/5 see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added this to LoopBack Common Project Board May 14, 2022

achrinza moved this to Icebox in LoopBack Common Project Board May 14, 2022

achrinza mentioned this issue May 14, 2022

Restrict imported GitHub Actions to an allowlist #28

Open

achrinza moved this from Icebox to Current/Backlog in LoopBack Common Project Board Aug 28, 2022

achrinza self-assigned this Aug 28, 2022

achrinza added a commit to loopbackio/loopback-next that referenced this issue Aug 28, 2022

ci: pin GH Actions to Git Hash

5c4d8e6

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza mentioned this issue Aug 28, 2022

ci: pin GitHub Actions to Git hash loopbackio/loopback-next#8868

Merged

3 tasks

achrinza added a commit to loopbackio/loopback-next that referenced this issue Aug 28, 2022

ci: pin GH Actions to Git Hash

84c1e3a

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback-next that referenced this issue Aug 28, 2022

ci: pin GH Actions to Git Hash

1c0d1fd

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback-next that referenced this issue Aug 28, 2022

ci: pin GitHub Actions to Git hash

b7280aa

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback-next that referenced this issue Aug 28, 2022

ci: pin GitHub Actions to Git hash

2d71287

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback-connector that referenced this issue Aug 28, 2022

ci: pin GitHub Actions Git hash

210e3a9

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza mentioned this issue Aug 28, 2022

ci: pin GitHub Actions Git hash loopbackio/loopback-connector#231

Merged

3 tasks

achrinza added a commit to loopbackio/loopback-connector that referenced this issue Aug 28, 2022

ci: pin GitHub Actions Git hash

e95a478

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback.io that referenced this issue Aug 28, 2022

ci: pin GitHub Actions Git hash

f301420

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza mentioned this issue Aug 28, 2022

ci: pin GitHub Actions Git hash loopbackio/loopback.io#1378

Merged

achrinza added a commit to loopbackio/loopback-connector that referenced this issue Aug 28, 2022

ci: pin GitHub Actions Git hash

ca95adb

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback.io that referenced this issue Sep 3, 2022

ci: pin GitHub Actions Git hash

5eb6d67

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback-next that referenced this issue Sep 8, 2022

ci: pin GitHub Actions to Git hash

b4ca8bc

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/loopback-next that referenced this issue Sep 8, 2022

ci: pin GitHub Actions to Git hash

f8093ef

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/cicd that referenced this issue Aug 30, 2023

ci: Pin to GH Actions to Git hash

53125da

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza mentioned this issue Aug 30, 2023

ci: harden runner & pin GH Actions loopbackio/cicd#70

Merged

achrinza added a commit to loopbackio/cicd that referenced this issue Aug 30, 2023

ci: Pin to GH Actions to Git hash

08d8a1d

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/strong-soap that referenced this issue Oct 26, 2023

ci: pin GHA Actions

0f24d69

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/strong-soap that referenced this issue Oct 26, 2023

ci: pin GHA Actions

571dc12

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

achrinza added a commit to loopbackio/strong-soap that referenced this issue Oct 26, 2023

ci: pin GHA Actions

8bf4755

see: loopbackio/security#27 Signed-off-by: Rifa Achrinza <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin GitHub Actions to Git commit hash #27

Pin GitHub Actions to Git commit hash #27

achrinza commented May 14, 2022 •

edited

Loading

Pin GitHub Actions to Git commit hash #27

Pin GitHub Actions to Git commit hash #27

Comments

achrinza commented May 14, 2022 • edited Loading

GitHub repositories

achrinza commented May 14, 2022 •

edited

Loading