Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add guidance on pinning GitHub Actions and container images #69

Open
pellared opened this issue Jul 10, 2024 · 10 comments
Open

Add guidance on pinning GitHub Actions and container images #69

pellared opened this issue Jul 10, 2024 · 10 comments

Comments

@pellared
Copy link
Member

pellared commented Jul 10, 2024

Why

A bad actor can force push a tag so that GitHub Action to do some malicious actions.

A bad actor can push a malicious container image under the same name.

What

We should use digest pinning to mitigate the possibility of using a malicious GitHub Actions and container images.
It should also make the build more reproducible.
Some references:

When using GitHub Actions we can add a comment with a after the digest (e.g. actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0).
Both Renovate and Dependabot can bump both the digest and the tag in the comment:

When using container images we can add the digest at the end (e.g. node:14.15.1@sha256:d938c1761e3afbae9242848ffbb95b9cc1cb0a24d889f8bd955204d347a7266e).
Both Renovate and Dependabot can bump the image name and the digest as well:

@pellared
Copy link
Member Author

I propose to add recommendation somewhere under /docs that explain how to pin the container images and GitHub Actions and how to configure Dependabot and Renovate to have them being bumped.

@open-telemetry/governance-committee @open-telemetry/technical-committee @open-telemetry/sig-security-maintainers, thoughts?

@svrnm
Copy link
Member

svrnm commented Jul 10, 2024

Thanks for raising this, as far as I remember the OpenSSF Scorecard Automation should catch that as well and raise an issue on repositories

@yurishkuro
Copy link
Member

The automation creates a PR that changes all actions to pinned. But personally I think it goes overboard and in Jaeger we went back to semver refs in some places. Eg you want pinned versions in a workflow that performs a release, but not in the integration tests.

@jpkrohling
Copy link
Member

@yurishkuro, do you mind sharing why did you go back to semver? The recommendation, as I understand it, is to have this:

      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

Source: https://github.com/open-telemetry/opentelemetry-collector-releases/blob/2dd46ba38de4affe3ff923959d23291f5c89aca9/.github/workflows/base-release.yaml#L38

Both tools can then open a PR bumping that upon a new version: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/578/files

I'm probably missing something, but if your integration tests are using semver with 4.1 and 4.1.7 was just released, you'd automatically use this new 4.1.7 without being aware of that. Beyond the security aspects, wouldn't it be bad in case of test failures introduced by that change? Is it about reducing the review burden on maintainers?

@yurishkuro
Copy link
Member

yurishkuro commented Jul 11, 2024

@jpkrohling 99% of the time there is no benefit for me as a maintainer in minor bumps of the versions of GH actions, but it's a constant maintenance burden to merge those PRs. For example, for all integration tests, it makes no difference if the setup-go action is v4, v4.1, or v4.1.2. So I can define it as v4 semver and never worry about bumps PRs from dependabot (I just ran a test for last year of commits in Jaeger, 30% of them were from dep bots). But I cannot do v4 if it's pinned by hash.

@jpkrohling
Copy link
Member

it's a constant maintenance burden to merge those PRs

Sounds like an automation issue? Renovate has a "noise reduction" feature, so that it would group related dependencies (like "all github actions") into one single PR, and you can adjust the frequency: https://docs.renovatebot.com/noise-reduction/

@trask
Copy link
Member

trask commented Jul 16, 2024

I just ran a test for last year of commits in Jaeger, 30% of them were from dep bots

I agree these PRs create a lot of clutter if nothing else

Renovate has a "noise reduction" feature, so that it would group related dependencies (like "all github actions") into one single PR, and you can adjust the frequency: https://docs.renovatebot.com/noise-reduction/

thanks, I'm trying this out: open-telemetry/opentelemetry-java-instrumentation#11829

@trask trask transferred this issue from open-telemetry/community Aug 29, 2024
@yurishkuro
Copy link
Member

Sounds like an automation issue? Renovate has a "noise reduction" feature, so that it would group related dependencies (like "all github actions") into one single PR

We are already using the grouping of dependencies in Jaeger, but it's not enough - if a project depends on a dozen GH actions there's a high chance at least one will have a new patch every week, which will create a new PR that provides exactly 0 value to me. So another thing I do is restrict certain groups to minor version bumps only & ignore patches.

@pellared
Copy link
Member Author

So another thing I do is restrict certain groups to minor version bumps only & ignore patches.

Patches use to have bugfixes (including security fixes). Not bumping them may not appropriate from security perspective.

@Kielek
Copy link

Kielek commented Nov 4, 2024

After introducing support for digest in testcoinares,
we have pinned both GH actions and docker images to SHA in OTel .NET Auto repo. No issues so far.

Ref:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants