Actions should be pinnable #95

zkoppert · 2024-04-15T22:19:56Z

Is your feature request related to a problem?

Pinning using a cryptographic hash or signature is considered a Best Practice to ensure that a specific version of a component is used, which can help in making builds more reproducible and trustworthy. All of our GitHub OSPO Actions do not follow the best practices in terms of being immutable ("pinnable").

Related OSPO Tool

stale-repos GitHub Action, issues-metrics GitHub Action, automatic-contrib-prs GitHub Action, evergreen GitHub Action, cleanowners GitHub Action, contributors GitHub Action

Describe the solution you'd like

See remediation paths at https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/unpinnable_action.md#remediation

Ideally we would make our actions pinnable, update our docs to encourage that practice, and ensure our CI components are all pinned.

Describe alternatives you've considered

none

Additional context

Found based on running the poutine tool

jmeridth · 2024-05-03T08:58:34Z

Turned on OSSF Scorecard on stale-repos and the results agree with this issue. 😄 Will work through them all in a PR per repo.

Part of github/github-ospo#95 Fix up the last few GitHub Actions uses with SHAs instead of tags Signed-off-by: jmeridth <[email protected]>

Relates to github/github-ospo#84 Relates to github/github-ospo#95 - [x] setup OSSF scorecard github action - [x] setup OSSF scorecard readme badge - [x] change current GitHub Actions to use SHAs instead of tags Signed-off-by: jmeridth <[email protected]>

jmeridth · 2024-05-07T12:31:40Z

This is complete

zkoppert added the enhancement New feature or request label Apr 15, 2024

This was referenced May 4, 2024

chore: security remediation after turning on ossf scorecoard github/stale-repos#131

Merged

chore: move to pipenv for package management github/stale-repos#132

Draft

jmeridth added a commit to github/stale-repos that referenced this issue May 6, 2024

chore: change last few github actions to use shas

55a1ced

Part of github/github-ospo#95 Fix up the last few GitHub Actions uses with SHAs instead of tags Signed-off-by: jmeridth <[email protected]>

jmeridth mentioned this issue May 6, 2024

chore: change last few github actions to use shas github/stale-repos#136

Merged

5 tasks

jmeridth mentioned this issue May 7, 2024

chore: add OSSF scorecard github action and README badge github/cleanowners#71

Merged

7 tasks

jmeridth mentioned this issue May 7, 2024

chore: add OSSF scorecard github action and README badge github/contributors#103

Merged

7 tasks

jmeridth mentioned this issue May 7, 2024

chore: add OSSF scorecard github action and README badge github/automatic-contrib-prs#62

Merged

7 tasks

jmeridth mentioned this issue May 7, 2024

chore: add OSSF scorecard github action and README badge github/evergreen#122

Merged

7 tasks

jmeridth mentioned this issue May 7, 2024

chore: add OSSF scorecard github action and README badge github/issue-metrics#267

Merged

7 tasks

jmeridth self-assigned this May 7, 2024

jmeridth closed this as completed May 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Actions should be pinnable #95

Actions should be pinnable #95

zkoppert commented Apr 15, 2024

jmeridth commented May 3, 2024

jmeridth commented May 7, 2024

Actions should be pinnable #95

Actions should be pinnable #95

Comments

zkoppert commented Apr 15, 2024

Is your feature request related to a problem?

Related OSPO Tool

Describe the solution you'd like

Describe alternatives you've considered

Additional context

jmeridth commented May 3, 2024

jmeridth commented May 7, 2024