You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
However, GitHub does not currently provide a way for users to enforce this guideline when new GitHub Actions are added to a repository. Instead, users are turning to 3rd party actions like the following:
At Teleport, we already use dependency review to look for security and license issues in incoming dependencies. I'd also like dependency-review-action to have a way to enforce that dependencies are pinned. I care about this feature for GitHub Actions more than my other ecosystems (go, javascript, terraform) because those ecosystems have lock files built into the dependency management toolchain.
The text was updated successfully, but these errors were encountered:
@wadells thank you for taking the time to share your ideas.
I think this would be a nice thing to have, maybe added as a config option (another one 😅) to maintain support with existing users. I've tagged it and hopefully can get to this at some point in the future. If you want to open a pull request I'd be more than happy to help out getting this out quicker.
The GitHub Actions documentation on "Using 3rd Party Actions" states that users should:
However, GitHub does not currently provide a way for users to enforce this guideline when new GitHub Actions are added to a repository. Instead, users are turning to 3rd party actions like the following:
https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions
At Teleport, we already use dependency review to look for security and license issues in incoming dependencies. I'd also like dependency-review-action to have a way to enforce that dependencies are pinned. I care about this feature for GitHub Actions more than my other ecosystems (go, javascript, terraform) because those ecosystems have lock files built into the dependency management toolchain.
The text was updated successfully, but these errors were encountered: