actionlint icon indicating copy to clipboard operation
actionlint copied to clipboard
verified publisher icon rhysd

feature to require exact version number on a 3rd party action

Open perryd01 opened this issue 9 months ago • 1 comments

feature request to require exact version number on a 3rd party action

Why

  • security
  • https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Example

an opt in feature where this would be invalid:

      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node_version: 18.x

and this would be valid

      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/[email protected]
      - uses: actions/[email protected]
        with:
          node_version: 18.x

perryd01 avatar Mar 20 '25 18:03 perryd01

This would be a good addition, but it's important to note that the real fix for that related issue is to point to a commit SHA, not just another git tag that can be redirected with malicious code.

      - run: echo "Checking commit '${{ github.event.head_commit.message }}'"
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
        with:
          node_version: 18.x

david-mcdowell-ilw avatar Jun 03 '25 02:06 david-mcdowell-ilw