-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use stricter version pinning for GitHub Actions in repository workflows #466
Labels
A-codesigning
Area: Apple and GPG codesigning accounts and key material.
A-github
Area: GitHub infrastructure as code.
A-github-actions
Area: GitHub Actions workflows and automation.
A-security
Area: Security vulnerabilities and unsoundness issues.
Comments
lopopolo
added
A-github
Area: GitHub infrastructure as code.
A-github-actions
Area: GitHub Actions workflows and automation.
labels
Apr 28, 2023
Actions were updated to these versions across the organization:
|
Using this script: actions = [
"EmbarkStudios/cargo-deny-action@e0a440755b184aa50374330fa75cca0f84fcb59a # v1.5.2",
"Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1",
"actions/cache@v3.3.1",
"actions/checkout@v3.5.2",
"actions/download-artifact@v3.0.2",
"actions/setup-node@v3.6.0",
"actions/setup-python@v4.6.0",
"actions/upload-artifact@v3.1.2",
"artichoke/generate_third_party@v1.10.0",
"artichoke/setup-rust/audit@v1.9.0",
"artichoke/setup-rust/build-and-test@v1.9.0",
"artichoke/setup-rust/check-minimal-versions@v1.9.0",
"artichoke/setup-rust/code-coverage@v1.9.0",
"artichoke/setup-rust/lint-and-format@v1.9.0",
"artichoke/setup-rust/miri@v1.9.0",
"artichoke/setup-rust/rustdoc@v1.9.0",
"aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0",
"crazy-max/ghaction-github-labeler@3de87da19416edc45c90cd89e7a4ea922a3aae5a # v4.1.0",
"crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0",
"docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0",
"docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0",
"docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0",
"docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0",
# "docker://aquasec/tfsec:v1.28.1",
# "docker://hadolint/hadolint:v2.12.0",
"eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1",
"gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15",
"hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3",
"mheap/github-action-required-labels@422e4c352ef83db91089e6acfbf09d8725e08abc # v4.0.0",
"mymindstorm/setup-emsdk@ab889da2abbcbb280f91ec4c215d3bb4f3a8f775 # v12",
"ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0",
"peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.2",
"ruby/setup-ruby@6cecb48364174b0952995175c55f9bf5527e6682 # v1.147.0",
]
actions.each do |action|
name = action.split("@").first
`rg -l --type yaml --hidden '#{name}' | xargs -n1 sed -i '' -e 's!uses: #{name}@.*$!uses: #{action}!g'`
end
# `zsh -c 'git checkout -- **/vendor/'` |
These docker containers were not updated away from
|
I adopted this approach after seeing it in pyca/cryptography: |
lopopolo
added
the
A-security
Area: Security vulnerabilities and unsoundness issues.
label
Apr 28, 2023
lopopolo
added
the
A-codesigning
Area: Apple and GPG codesigning accounts and key material.
label
Jun 10, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
A-codesigning
Area: Apple and GPG codesigning accounts and key material.
A-github
Area: GitHub infrastructure as code.
A-github-actions
Area: GitHub Actions workflows and automation.
A-security
Area: Security vulnerabilities and unsoundness issues.
The GitHub Actions ecosystem by default suggests depending on actions via mutable tags. For example,
actions/checkout
suggests depending on it in a workflow by thev3
tag:https://github.com/actions/checkout#fetch-all-history-for-all-tags-and-branches
The
v3
tag is mutated to match the latest v3.x.y on each release.This presents a supply chain and build breakage risk in that workflows take on updates without an explicit adoption step or opportunity to review.
@dependabot can make PRs to automatically update GitHub Action dependencies by fully qualified tag. For example, using
actions/checkout@v3.5.2
. For GitHub actions published by the @actions (official GitHub-provided actions) and @artichoke (first party) organizations, use these full version tags to pin.GitHub Actions can also be depended on via Git SHA, like this:
@dependabot is capable of updating both the SHA and the comment which maps to the Git tag the SHA corresponds to. Fir third party actions (any actions published by orgs/users other than @actions and @artichoke), use a Git SHA and version comment to pin.
Deployment
This change has already been deployed. This ticket documents the decision and rationale for moving forward.
Deployed PRs:
The text was updated successfully, but these errors were encountered: