Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Support GitHub Immutable Actions, don't enforce pinning by digest for those #4489

Open
JPLachance opened this issue Jan 14, 2025 · 2 comments

Comments

@JPLachance
Copy link

Is your feature request related to a problem? Please describe.

GitHub started to rollout Immutable Actions using a new publishing method.

GitHub CodeQL started to raise issues for Actions that are "immutable" and not pulled by tag.

Screenshot 2025-01-09 at 2 41 45 PM

So at the moment:

  • A developer can make CodeQL happy, but the Scorecard tells the developer Warn: GitHub-owned GitHubAction not pinned by hash
  • A developer can make Scorecard happy, but CodeQL isn't anymore

Describe the solution you'd like

Ideally, we would update Scorecard to take into account the new GitHub Immutable Actions. When an Action is an Immutable one, we would not tel the developer to pin the action by digest.

The current list of Immutable Actions used by CodeQL can be found here. Far from ideal, but it's a starting point.

Describe alternatives you've considered

At the moment, I'm dismissing the Scorecard findings one by one, but it still affects the score of public repositories negatively.

Additional context

Related issues:

@JPLachance JPLachance added the kind/enhancement New feature or request label Jan 14, 2025
@spencerschrock
Copy link
Member

spencerschrock commented Jan 14, 2025

Can you link the "Consuming immutable actions" reference, or is the link broken (private github.com/github repository)?

GitHub CodeQL started to raise issues for Actions that are "immutable" and not pulled by tag.

My initial thought is that pinning by SHA should be acceptable to both tools. When I tried to find more info, I found this issue upstream (github/codeql-action#2659) which implies that the alert shouldn't be firing anymore (not sure if they agree about SHAs, but rather it was meant to be internal for now).

Ideally, we would update Scorecard to take into account the new GitHub Immutable Actions

Agreed, which is what led me to open one of the issues you linked (actions/publish-immutable-action#216).

The current list of Immutable Actions used by CodeQL can be found here. Far from ideal, but it's a starting point.

Also agree, but thanks for sharing the link!

@JPLachance
Copy link
Author

Well, the funny thing is that the "Consuming immutable actions" link points to nothing 😅 : https://github.com/github/codeql/blob/main/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md?plain=1

If CodeQL truly decides to drop this check, fine with me! I'll let you choose whether to close this feature request. I agree that pinning by digest should still be viewed as "a good thing".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: No status
Development

No branches or pull requests

2 participants