Skip to content

Pin full length commit SHA for 3rd party actions. #55

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 23, 2025
Merged

Pin full length commit SHA for 3rd party actions. #55

merged 1 commit into from
Apr 23, 2025

Conversation

desrosj
Copy link
Member

@desrosj desrosj commented Mar 20, 2025

Proposed changes

This implements the recommendation to pin full length commit SHAs instead of versions or branches when using 3rd-party GitHub Actions to protect from supply chain attacks.

This has been happening more often recently, with a number of popular actions having all of their tags updated with a buried vulnerability.

While the new notation is more verbose, a bit ugly, and requires every update to be applied manually, we can rely on Dependabot to handle that for us to make it more manageable.

This also updates the following actions to their latest versions:

  • peter-evans/repository-dispatch from v1 to 3.0.0

Recent examples

Examples of actions being exploited in the wild:

Production

  • Bugfix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Dependency update
  • Refactoring / housekeeping (changes to files not directly related to functionality)

Development

  • Tests
  • Dependency update
  • Environment update / refactoring
  • Documentation Update
  • Build/Test Tooling update

Checklist

  • I have read the CONTRIBUTING doc
  • I have viewed my change in a web-browser
  • Linting and tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

Further comments

GitHub is looking into providing immutable releases for actions (which would allow versions to be used again), and this is currently in the Q3 2025 roadmap. But we should use full SHA values until then.

See also newfold-labs/workflows#22.

@desrosj
Pin full length commit SHA for 3rd party actions.
bca7829 
This implements the recommendation to pin full length commit SHAs instead of versions or branches when using 3rd-party GitHub Actions to protect from supply chain attacks.

This has been happening more often recently, with a number of popular actions having all of their tags updated with a buried vulnerability.

While the new notation is more verbose, a bit ugly, and requires every update to be applied manually, we can rely on Dependabot to handle that for us to make it more manageable.

Additionally, this updates each action to its latest version.
@desrosj desrosj self-assigned this Mar 20, 2025
@circlecube circlecube merged commit 0d9d621 into main Apr 23, 2025
5 of 6 checks passed
@circlecube circlecube deleted the gha/pin-full-length-shas branch April 23, 2025 17:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@circlecube circlecube circlecube approved these changes

Assignees

@desrosj desrosj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@desrosj @circlecube