-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version pinning for GHA actions #12543
Comments
Dependabot is very easy to set up, but it doesn't support bumping digests. |
Sounds good. I just checked that out on one of my repos. |
I think it's good to specify exact hashes for not-so-trustworthy sources. It looks nice to me what renovatebot does. |
I'd have a preference to hide the config away somehow, avoid clutter.
And I commented here about another general thing #12678 (comment) |
Kinda late now, but FWIW it seems Dependabot does actually support this, just not automatically converting from tag to hash automatically. Ref: dependabot/dependabot-core#4691 |
So I have this PR for upgrading the versions of actions running in GHA: #12501
For the Windows jobs we have pinned specific commits instead of versions (ref #11477 (comment)). I understand that this is more secure because the author of the action could technically move the tag to a different commit, right? And there's no lockfile to keep the versions pinned.
My question is, is this really necessary? (evidence suggests that it is a recommended safety practice: https://julienrenaux.fr/2019/12/20/github-actions-security-risk/, https://michaelheap.com/ensure-github-actions-pinned-sha/)
And shouldn't we do this everywhere then?
The problem with commit hashes is that it's not clear what version they represent. So that makes it a bit difficult to manage and understand. Maybe there are tools which make this easier? (for example https://github.com/mheap/pin-github-action automatically adds comments referring tot he version number).
We should probably look into a tool for automating action upgrades (that's regardless of using versions or hashes).
The text was updated successfully, but these errors were encountered: