Skip to content

Hash-pin workflow Actions #26337

New issue
New issue
Closed
#26338
Closed
Hash-pin workflow Actions#26337
#26338
Labels
Suggestion
@pnacht

Description

@pnacht
pnacht
opened on Jun 27, 2023

Description

When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Solution

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

These dependencies can be kept up-to-date with renovatebot, which three.js already uses. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this PR in my fork for example).

I'll send a PR pinning the workflow Actions and configuring renovatebot to keep them up-to-date along with this issue.

Alternatives

GitHub's dependabot can also keep hashes up-to-date, but three.js already uses renovatebot.

Additional context

I'm Pedro and I'm working to improve the supply-chain security of important projects such as three.js (see #26204).

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Suggestion

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions