Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Version pinning for GHA actions #12543

Open
straight-shoota opened this issue Sep 29, 2022 · 5 comments
Open

Version pinning for GHA actions #12543

straight-shoota opened this issue Sep 29, 2022 · 5 comments

Comments

@straight-shoota
Copy link
Member

So I have this PR for upgrading the versions of actions running in GHA: #12501

For the Windows jobs we have pinned specific commits instead of versions (ref #11477 (comment)). I understand that this is more secure because the author of the action could technically move the tag to a different commit, right? And there's no lockfile to keep the versions pinned.

My question is, is this really necessary? (evidence suggests that it is a recommended safety practice: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/, https://michaelheap.com/ensure-github-actions-pinned-sha/)
And shouldn't we do this everywhere then?

The problem with commit hashes is that it's not clear what version they represent. So that makes it a bit difficult to manage and understand. Maybe there are tools which make this easier? (for example https://github.com/mheap/pin-github-action automatically adds comments referring tot he version number).

We should probably look into a tool for automating action upgrades (that's regardless of using versions or hashes).

@caspiano
Copy link
Contributor

Dependabot is very easy to set up, but it doesn't support bumping digests.
Renovatebot natively supports updating Github Action dependencies' digests, so that may be the way to go.

@straight-shoota
Copy link
Member Author

Sounds good. I just checked that out on one of my repos.
Here is the PR that transforms versions into hashes: straight-shoota/crinja#54

@oprypin
Copy link
Member

oprypin commented Oct 27, 2022

I think it's good to specify exact hashes for not-so-trustworthy sources. It looks nice to me what renovatebot does.

@oprypin
Copy link
Member

oprypin commented Oct 28, 2022

I'd have a preference to hide the config away somehow, avoid clutter.

.github/renovate.json seems much better than renovate.json


And I commented here about another general thing #12678 (comment)

@Blacksmoke16
Copy link
Member

Kinda late now, but FWIW it seems Dependabot does actually support this, just not automatically converting from tag to hash automatically. Ref: dependabot/dependabot-core#4691

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants