Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use stricter version pinning for GitHub Actions in repository workflows #466

Closed
lopopolo opened this issue Apr 28, 2023 · 4 comments
Closed

Use stricter version pinning for GitHub Actions in repository workflows #466

lopopolo opened this issue Apr 28, 2023 · 4 comments
Labels
A-codesigning Area: Apple and GPG codesigning accounts and key material. A-github Area: GitHub infrastructure as code. A-github-actions Area: GitHub Actions workflows and automation. A-security Area: Security vulnerabilities and unsoundness issues.

Comments

@lopopolo
Copy link
Member

The GitHub Actions ecosystem by default suggests depending on actions via mutable tags. For example, actions/checkout suggests depending on it in a workflow by the v3 tag:

https://github.com/actions/checkout#fetch-all-history-for-all-tags-and-branches

- uses: actions/checkout@v3
  with:
    fetch-depth: 0

The v3 tag is mutated to match the latest v3.x.y on each release.

This presents a supply chain and build breakage risk in that workflows take on updates without an explicit adoption step or opportunity to review.

@dependabot can make PRs to automatically update GitHub Action dependencies by fully qualified tag. For example, using actions/checkout@v3.5.2. For GitHub actions published by the @actions (official GitHub-provided actions) and @artichoke (first party) organizations, use these full version tags to pin.

GitHub Actions can also be depended on via Git SHA, like this:

      - name: Install Ruby toolchain
        uses: ruby/setup-ruby@6cecb48364174b0952995175c55f9bf5527e6682 # v1.147.0
        with:
          ruby-version: ".ruby-version"
          bundler-cache: true

@dependabot is capable of updating both the SHA and the comment which maps to the Git tag the SHA corresponds to. Fir third party actions (any actions published by orgs/users other than @actions and @artichoke), use a Git SHA and version comment to pin.

Deployment

This change has already been deployed. This ticket documents the decision and rationale for moving forward.

Deployed PRs:
@lopopolo lopopolo added A-github Area: GitHub infrastructure as code. A-github-actions Area: GitHub Actions workflows and automation. labels Apr 28, 2023
@lopopolo
Copy link
Member Author

Actions were updated to these versions across the organization:

EmbarkStudios/cargo-deny-action@e0a440755b184aa50374330fa75cca0f84fcb59a # v1.5.2
Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1
actions/cache@v3.3.1
actions/checkout@v3.5.2
actions/download-artifact@v3.0.2
actions/setup-node@v3.6.0
actions/setup-python@v4.6.0
actions/upload-artifact@v3.1.2
artichoke/generate_third_party@v1.10.0
artichoke/setup-rust/audit@v1.9.0
artichoke/setup-rust/build-and-test@v1.9.0
artichoke/setup-rust/check-minimal-versions@v1.9.0
artichoke/setup-rust/code-coverage@v1.9.0
artichoke/setup-rust/lint-and-format@v1.9.0
artichoke/setup-rust/miri@v1.9.0
artichoke/setup-rust/rustdoc@v1.9.0
aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0
crazy-max/ghaction-github-labeler@3de87da19416edc45c90cd89e7a4ea922a3aae5a # v4.1.0
crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0
docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
docker://aquasec/tfsec:v1.28.1
docker://hadolint/hadolint:v2.12.0
eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1
gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15
hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
mheap/github-action-required-labels@422e4c352ef83db91089e6acfbf09d8725e08abc # v4.0.0
mymindstorm/setup-emsdk@ab889da2abbcbb280f91ec4c215d3bb4f3a8f775 # v12
ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.2
ruby/setup-ruby@6cecb48364174b0952995175c55f9bf5527e6682 # v1.147.0

@lopopolo
Copy link
Member Author

Using this script:

actions = [
  "EmbarkStudios/cargo-deny-action@e0a440755b184aa50374330fa75cca0f84fcb59a # v1.5.2",
  "Swatinem/rust-cache@6fd3edff6979b79f87531400ad694fb7f2c84b1f # v2.2.1",
  "actions/cache@v3.3.1",
  "actions/checkout@v3.5.2",
  "actions/download-artifact@v3.0.2",
  "actions/setup-node@v3.6.0",
  "actions/setup-python@v4.6.0",
  "actions/upload-artifact@v3.1.2",
  "artichoke/generate_third_party@v1.10.0",
  "artichoke/setup-rust/audit@v1.9.0",
  "artichoke/setup-rust/build-and-test@v1.9.0",
  "artichoke/setup-rust/check-minimal-versions@v1.9.0",
  "artichoke/setup-rust/code-coverage@v1.9.0",
  "artichoke/setup-rust/lint-and-format@v1.9.0",
  "artichoke/setup-rust/miri@v1.9.0",
  "artichoke/setup-rust/rustdoc@v1.9.0",
  "aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef # v2.0.0",
  "crazy-max/ghaction-github-labeler@3de87da19416edc45c90cd89e7a4ea922a3aae5a # v4.1.0",
  "crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0",
  "docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0",
  "docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0",
  "docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0",
  "docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0",
  # "docker://aquasec/tfsec:v1.28.1",
  # "docker://hadolint/hadolint:v2.12.0",
  "eregon/keep-last-n-releases@c662ecf90e35b1070a4894539d8804a286e55151 # v1",
  "gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # v1.0.15",
  "hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3",
  "mheap/github-action-required-labels@422e4c352ef83db91089e6acfbf09d8725e08abc # v4.0.0",
  "mymindstorm/setup-emsdk@ab889da2abbcbb280f91ec4c215d3bb4f3a8f775 # v12",
  "ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0",
  "peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.2",
  "ruby/setup-ruby@6cecb48364174b0952995175c55f9bf5527e6682 # v1.147.0",
]

actions.each do |action|
  name = action.split("@").first
  `rg -l --type yaml --hidden '#{name}' | xargs -n1 sed -i '' -e 's!uses: #{name}@.*$!uses: #{action}!g'`
end
# `zsh -c 'git checkout -- **/vendor/'`

@lopopolo
Copy link
Member Author

These docker containers were not updated away from latest:

docker://aquasec/tfsec:v1.28.1
docker://hadolint/hadolint:v2.12.0

@lopopolo
Copy link
Member Author

I adopted this approach after seeing it in pyca/cryptography:

https://github.com/pyca/cryptography/blob/d34d05c2104fc6913f4c58fa2fd52b8ffec0604c/.github/workflows/ci.yml

@lopopolo lopopolo added the A-security Area: Security vulnerabilities and unsoundness issues. label Apr 28, 2023
@lopopolo lopopolo added the A-codesigning Area: Apple and GPG codesigning accounts and key material. label Jun 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-codesigning Area: Apple and GPG codesigning accounts and key material. A-github Area: GitHub infrastructure as code. A-github-actions Area: GitHub Actions workflows and automation. A-security Area: Security vulnerabilities and unsoundness issues.
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lopopolo