-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add guidance on pinning GitHub Actions and container images #69
Comments
I propose to add recommendation somewhere under @open-telemetry/governance-committee @open-telemetry/technical-committee @open-telemetry/sig-security-maintainers, thoughts? |
Thanks for raising this, as far as I remember the OpenSSF Scorecard Automation should catch that as well and raise an issue on repositories |
The automation creates a PR that changes all actions to pinned. But personally I think it goes overboard and in Jaeger we went back to semver refs in some places. Eg you want pinned versions in a workflow that performs a release, but not in the integration tests. |
@yurishkuro, do you mind sharing why did you go back to semver? The recommendation, as I understand it, is to have this: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 Both tools can then open a PR bumping that upon a new version: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/578/files I'm probably missing something, but if your integration tests are using semver with |
@jpkrohling 99% of the time there is no benefit for me as a maintainer in minor bumps of the versions of GH actions, but it's a constant maintenance burden to merge those PRs. For example, for all integration tests, it makes no difference if the setup-go action is v4, v4.1, or v4.1.2. So I can define it as v4 semver and never worry about bumps PRs from dependabot (I just ran a test for last year of commits in Jaeger, 30% of them were from dep bots). But I cannot do |
Sounds like an automation issue? Renovate has a "noise reduction" feature, so that it would group related dependencies (like "all github actions") into one single PR, and you can adjust the frequency: https://docs.renovatebot.com/noise-reduction/ |
I agree these PRs create a lot of clutter if nothing else
thanks, I'm trying this out: open-telemetry/opentelemetry-java-instrumentation#11829 |
We are already using the grouping of dependencies in Jaeger, but it's not enough - if a project depends on a dozen GH actions there's a high chance at least one will have a new patch every week, which will create a new PR that provides exactly 0 value to me. So another thing I do is restrict certain groups to minor version bumps only & ignore patches. |
Patches use to have bugfixes (including security fixes). Not bumping them may not appropriate from security perspective. |
After introducing support for digest in testcoinares, Ref: |
Why
A bad actor can force push a tag so that GitHub Action to do some malicious actions.
A bad actor can push a malicious container image under the same name.
What
We should use digest pinning to mitigate the possibility of using a malicious GitHub Actions and container images.
It should also make the build more reproducible.
Some references:
When using GitHub Actions we can add a comment with a after the digest (e.g.
actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0
).Both Renovate and Dependabot can bump both the digest and the tag in the comment:
When using container images we can add the digest at the end (e.g.
node:14.15.1@sha256:d938c1761e3afbae9242848ffbb95b9cc1cb0a24d889f8bd955204d347a7266e
).Both Renovate and Dependabot can bump the image name and the digest as well:
The text was updated successfully, but these errors were encountered: