MSS icon indicating copy to clipboard operation
MSS copied to clipboard
verified publisher icon Open-MSS

Use immutable references for external GitHub Actions

Open matrss opened this issue 9 months ago • 11 comments

Referencing third-party actions by version tag can be dangerous if that actions repository is compromised, since git tags are mutable and an attacker can therefore change what gets executed. See e.g. this for a recent example of this kind of attack: https://alexwlchan.net/2025/github-actions-audit/.

We should replace all mutable references with immutable commit shas. We can still use dependabot for updates as it recognizes this approach using a syntax like this:

       uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4

matrss avatar Mar 26 '25 08:03 matrss

@matrss I have changed the mutable actions/checkout@v4 and prefix-dev/[email protected] with their respective immutable commit SHA keys. Now how should I test them and what other changes should I do to resolve this issue

levi178u avatar Apr 12 '25 16:04 levi178u

What have we done that we don't pin by hash? Seems also using hash pinning can write the version string as comment

https://github.com/dependabot/dependabot-core/issues/4691

ReimarBauer avatar Apr 14 '25 05:04 ReimarBauer

This needs a review: https://stacklok.com/blog/automating-security-for-github-actions-in-minder

ReimarBauer avatar Apr 16 '25 08:04 ReimarBauer

looks good to me https://github.com/stacklok/frizbee#installation

We maybe can prepare an action based on this

ReimarBauer avatar Apr 16 '25 09:04 ReimarBauer

link to: https://github.com/prefix-dev/pixi/pull/3369

ReimarBauer avatar Apr 16 '25 09:04 ReimarBauer

Because this action receives frequent updates, it often invalidates manually added checksums https://github.com/marketplace/actions/setup-pixi

This issue gets only closed after we automated checksum updates

ReimarBauer avatar Apr 16 '25 10:04 ReimarBauer

This issue gets only closed after we automated checksum updates

AFAIU they are already automated by dependabot.

matrss avatar Apr 16 '25 15:04 matrss

When I use frizbee locally it updates to the commit hash. I tried to add that.
https://github.com/stacklok/frizbee-action

I don't want to keep manually added PR for having an immutable reference. An automated PR is fine, or dependabot does it similiar in one shot.

ReimarBauer avatar Apr 17 '25 08:04 ReimarBauer

My understanding is that dependabot updates with pinned hashes if the action already uses a pinned hash. So the same thing as frizbee's updates, as soon we have pinned them all once. The lint job to ensure that all action uses are pinned makes a lot of sense though.

matrss avatar Apr 17 '25 09:04 matrss

Also I went through the Frizbee docs and found that we can use Minder for automating the gh SHAs pinning actions after creating gh token.

Image

levi178u avatar Apr 17 '25 09:04 levi178u

My understanding is that dependabot updates with pinned hashes if the action already uses a pinned hash. So the same thing as frizbee's updates, as soon we have pinned them all once. The lint job to ensure that all action uses are pinned makes a lot of sense though.

ok, good. I have not seen that point, I remove fizbee from the open PR, then we have a checker in place.

pixi-setup is on 0.8.8 so it takes not long we can verify that.

ReimarBauer avatar Apr 17 '25 11:04 ReimarBauer