openpilot icon indicating copy to clipboard operation
openpilot copied to clipboard

Published 20 hours ago • verified publisher icon commaai

Pin GitHub Actions 📌

Open GrantBirki opened this issue 3 years ago • 1 comments
trafficstars

Pin GitHub Actions 📌

This pull request pins all GitHub Actions to an exact SHA. The reasoning for this is to prevent supply chain security attacks in 3rd party Action dependencies

Learn More 📚

You can learn more about Actions security hardening at the following links:

  • https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
  • https://github.com/mheap/pin-github-action

Let me know if you have any questions and hopefully this PR helps to lock down all 3rd party Action dependencies 🔒

GrantBirki avatar Aug 25 '22 05:08 GrantBirki

Also, did someone run CI on my pull request immediately after opening it? Or is Actions configured to run right away even on forked PRs? If this is the case, it might be worth while for the maintainers of this repo/org to lock down Actions permissions or audit them to ensure CI is only running in a trusted content

GrantBirki avatar Aug 25 '22 05:08 GrantBirki

We only use version tags for GitHub published actions. I'm failing to see a practical case where this matters, though definitely open to ideas here.

adeebshihadeh avatar Aug 31 '22 20:08 adeebshihadeh

I'm failing to see a practical case where this matters

A practical case where this matters is in the event that a third party Action is compromised which leads to this repository becoming compromised as well.

For example, this repo uses a third party Action from codecov. codecov had a supply chain attack just last year..

If the codecov (or any other Action) were to have a compromised release and this project was not using an exact pin to a SHA, then it could be vulnerable from that angle.

Even though this may seem like a minor nag to start pinning your Action versions, I do think it is important. People use this software to help them steer their vehicles. The implications of supply chain attacks here could have pretty raw effects on the physical well being of people.

TL;DR: I would pin to the exact version of an Action's SHA, everywhere, all the time, and regardless of who created the Action.

I hope that helps and I would be happy to discuss further if you still have questions 😃

@adeebshihadeh

GrantBirki avatar Sep 01 '22 00:09 GrantBirki