valkey icon indicating copy to clipboard operation
valkey copied to clipboard
verified publisher icon valkey-io

Pin versions of Github Actions in CI

Open bjosv opened this issue 1 year ago • 3 comments

Pin the Github Action dependencies to the hash according to secure software development best practices recommended by the Open Source Security Foundation (OpenSSF).

When developing a CI workflow, it's common to version-pin dependencies (i.e. actions/checkout@v4). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead. Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed. See https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

The dependabot supports updating a hash and the version comment so its update will continue to work as before.

Links to used actions and theit tag/hash for review/validation: https://github.com/actions/checkout/tags (v4.1.2 was rolled back) https://github.com/github/codeql-action/tags https://github.com/maxim-lobanov/setup-xcode/tags https://github.com/cross-platform-actions/action/releases/tag/v0.22.0 https://github.com/py-actions/py-dependency-install/tags https://github.com/actions/upload-artifact/tags https://github.com/actions/setup-node/tags https://github.com/taiki-e/install-action/releases/tag/v2.32.2

This PR is part of #211.

bjosv avatar Apr 05 '24 15:04 bjosv

Pinning makes sense but I am curious about the impact of pinning at the commit level as I haven't seen vulns getting tracked at the commit level. Also will we get notifications when a vuln is identified for a particular commit?

PingXie avatar Apr 05 '24 17:04 PingXie

I have not seen any info of an attack like this either, but this would be a proactive step to prevent it. I believe the important part is to investigate a bit when the dependabot suggests an update, making sure that the new hash and version seems to be an official release.

bjosv avatar Apr 06 '24 17:04 bjosv

Also will we get notifications when a vuln is identified for a particular commit?

I'm not sure. I've seen recommendations to use dependabot when pinning to a commit, so that the latest release is always used.

As a note, pinning an action to a full length commit SHA is also mentioned in Github's Security hardening for GitHub Actions.

bjosv avatar Apr 10 '24 08:04 bjosv