actions icon indicating copy to clipboard operation
actions copied to clipboard
verified publisher icon chainguard-dev

please add a sigstore/cosign-installer action

Open eslerm opened this issue 9 months ago • 1 comments

Several repos use this action: nami, source-integrity-demo, maxcve, auto-deploy-demo, chainguard-migration-demo, and ynad. They had or are using the mutable tags @main, @v3.2.0, and @v3.7.0.

ProdSec is onboard with using mutable tags (e.g., @main) when referencing actions in Chainguard's org/actions repos. Otherwise we would like to see full-length commit SHA pinning to avoid a future tj-actions like attack (https://github.com/chainguard-dev/prodsec/issues/60). If other Chainguard repos are only allowed to use mutable tags to reference org/actions and org/actions always pins external actions, we are not taking on any more risk than those other Chainguard repos pinning to the external repo directly.

By centralizing this pinning, updates can be rolled out in lockstep and we lower dependabot and security maintenance.

eslerm avatar Mar 21 '25 04:03 eslerm