scorecard-action icon indicating copy to clipboard operation
scorecard-action copied to clipboard
verified publisher icon ossf

Publish as immutable action

Open JamieMagee opened this issue 1 year ago • 2 comments

Immutable actions are a way to publish custom GitHub Actions as OCI artifacts in the GitHub container registry, as opposed to git refs. They give some better security guarantees than existing actions:

  • Provenance attestations generated using the @actions/attest package
  • Tag immutability - it will not be possible to overwrite tags once published, ensuring versions of an action can't change once in use
  • Namespace immutability - it will not be possible to delete and recreate the package with different content; this would undermine tag immutability

Currently, immutable actions are in preview, but I think it's worth investigating.

References:

  • https://github.com/github/roadmap/issues/592
  • https://github.com/actions/publish-immutable-action

JamieMagee avatar Dec 17 '24 23:12 JamieMagee

See also, https://github.com/actions/publish-immutable-action/issues/216 I'm curious how we would detect them.

whoops, thought this was the scorecard repo, not the action

spencerschrock avatar Dec 17 '24 23:12 spencerschrock

I have a solution for that!

EDIT: commented in the linked issue

JamieMagee avatar Dec 17 '24 23:12 JamieMagee