Pin dependencies in github action workflows and Dockerfile

[bobcallaway]

Addressing https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

data from running: scorecard --show-details --repo=https://github.com/sigstore/rekor/ --checks Pinned-Dependencies --format json:

{
  "date": "2022-01-12",
  "repo": {
    "name": "github.com/sigstore/rekor",
    "commit": "91ff490a51a99b9bd726255f851aa22e6b2ce802"
  },
  "scorecard": {
    "version": "b79b3c3",
    "commit": "b79b3c357c99a38afabbdbdab1047c15c0db4afd"
  },
  "score": 2,
  "checks": [
    {
      "details": [
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/build.yml:37",
        "Warn: third-party action not pinned by hash: .github/workflows/build.yml:38",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/build.yml:43",
        "Warn: third-party action not pinned by hash: .github/workflows/build.yml:50",
        "Warn: third-party action not pinned by hash: .github/workflows/build.yml:55",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/codeql-analysis.yml:38",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/codeql-analysis.yml:42",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/codeql-analysis.yml:46",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/codeql-analysis.yml:51",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:49",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:52",
        "Warn: third-party action not pinned by hash: .github/workflows/main.yml:55",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:70",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:75",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:81",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:29",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/main.yml:32",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/milestone.yml:26",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/validate-release.yml:42",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/validate-release.yml:45",
        "Warn: third-party action not pinned by hash: .github/workflows/validate-release.yml:48",
        "Warn: third-party action not pinned by hash: .github/workflows/validate-release.yml:50",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/verify.yml:25",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/verify.yml:28",
        "Warn: GitHub-owned action not pinned by hash: .github/workflows/verify.yml:43",
        "Warn: third-party action not pinned by hash: .github/workflows/verify.yml:47",
        "Warn: docker image not pinned by hash: Dockerfile:16",
        "Warn: docker image not pinned by hash: Dockerfile:33",
        "Warn: docker image not pinned by hash: Dockerfile:42",
        "Warn: go installation not pinned by hash: Dockerfile:43",
        "Info: no insecure (not pinned by hash) dependency downloads found in shell scripts",
        "Warn: go installation not pinned by hash: .github/workflows/verify.yml:33"
      ],
      "score": 2,
      "reason": "dependency not pinned by hash detected -- score normalized to 2",
      "name": "Pinned-Dependencies",
      "documentation": {
        "url": "https://github.com/ossf/scorecard/blob/b79b3c357c99a38afabbdbdab1047c15c0db4afd/docs/checks.md#pinned-dependencies",
        "short": "Determines if the project has declared and pinned its dependencies."
      }
    }
  ],
  "metadata": null
}

Signed-off-by: Bob Callaway [email protected]

Summary

Ticket Link

Fixes

Release Note

[asraa]

Does dependabot automatically pick up github actions workflow or do we need a dependabot config?

[cpanato]

Does dependabot automatically pick up github actions workflow or do we need a dependabot config?

we already have the config for that https://github.com/sigstore/rekor/blob/main/.github/dependabot.yml#L27 but I'm not sure if dependabot will work for this approach or it only work for "tags"
lets see :)

[bobcallaway]

Does dependabot automatically pick up github actions workflow or do we need a dependabot config?

we already have the config for that https://github.com/sigstore/rekor/blob/main/.github/dependabot.yml#L27 but I'm not sure if dependabot will work for this approach or it only work for "tags" lets see :)

Apparently they've been supporting this (update on digest, not just tag) for over a year - see https://github.com/google/go-github/pull/2049/files for an example

[bobcallaway]

Does dependabot automatically pick up github actions workflow or do we need a dependabot config?

we already have the config for that https://github.com/sigstore/rekor/blob/main/.github/dependabot.yml#L27 but I'm not sure if dependabot will work for this approach or it only work for "tags" lets see :)

Apparently they've been supporting this (update on digest, not just tag) for over a year - see https://github.com/google/go-github/pull/2049/files for an example

@cpanato Only thing to be aware of is that the # vX.Y.Z comment at the end of the digest value isn't automatically updated by dependabot so ideally we'd manually update this for each dependabot PR when they come in (until they add this capability)

[cpanato]

that is ok, we can do that :)