Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hash-pin workflow GitHub Actions #818

Open
pnacht opened this issue Sep 4, 2023 · 0 comments · May be fixed by #819
Open

Hash-pin workflow GitHub Actions #818

pnacht opened this issue Sep 4, 2023 · 0 comments · May be fixed by #819

Comments

@pnacht
Copy link
Contributor

pnacht commented Sep 4, 2023

Hey, it's Pedro (see #779 and #781) and I'm back with a new security suggestion!

When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

These hashes can be automatically updated by dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this repo as an example).

I'll send a PR pinning the Actions along with this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant