Pin SHA values as version numbers for 3rd party GHAs #29485
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Size Change: 0 B Total Size: 1.39 MB ℹ️ View Unchanged
|
|
Looks like the failing tests are also failing currently in |
|
What is an immutable release? |
|
Immutable release means it's unable to be changed. SHAs are the only way to guarantee that what's checked out cannot be changed to something else. Tags can be moved or deleted, but the SHAs cannot be changed. |
noisysocks
approved these changes
Mar 3, 2021
|
Cool, cool. Would it make sense to enforce this somehow? Just thinking about what would happen if a future developer writes a new action but doesn't know to do this. |
|
We could! Not sure how easy that is to build into the automations scripts you have going. I think including a link to the security best practices in the PR description somewhere in contributing documentation could also suffice. |
How about actions like Mostly curious if we could keep using tags for those, as they're a bit nicer on the eye 😄 |
Technically yes, they are 1st party. But, because they are separate repositories and not included on the runners, it's always possible that a bad actor has access to one of the repositories. Where these actions are the most used of any on the marketplace, they're ideal targets should anyone be trying to exploit an action. Trusting the GH actions would fall under the third item listed in the related section on the page linked in the description: "Pin actions to a tag only if you trust the creator". We could declare that all official GitHub actions are "trusted". But it's probably just easier to just have a consistent policy across the board, and it's the most secure.
This gave me an idea! I have added a |
3 tasks
6 tasks
desrosj
added a commit
that referenced
this pull request
Jul 2, 2021
(cherry picked from commit 80b6e5b)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR changes the version numbers specified for 3rd party GitHub Action scripts to SHA values. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
All SHAs reference the same version of the action script that was being used prior to this PR, except the
styfle/cancel-workflow-actionaction, which has been upgraded from0.4.0to0.8.0(latest version).See: https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions.
Related: https://core.trac.wordpress.org/changeset/50474.