Pin GitHub Actions to commit #65
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an automated PR to update actions in this repo. The operation should be no-op, as we are only switching out the version tag with the matching commit SHA.
Why are we doing this?
Recently, there was a security incident where a malicious actor modified multiple version tags to reference a malicious commit. This could potentially allow the attacker to potentially read logs and steal secrets. Read more about it here.
Although we have confirmed that no Github Actions were actively exploited at Shopify, to mitigate this risk, we should ensure that our 3rd party Github Actions are pinned to a specific immutable hash, and not just a version tag.
To read more about why pinning actions is recommended check here.
How do I keep by Actions up-to-date?
To ensure you still get updates after pinning, this PR also enables Dependabot automated updates. To read more about this configuration check here.
Autofixes
To remove the additional toil of having to merge new updates for Github Actions, you can opt your services in for autofixes. Read more about autofixes here
Timeframe
We will give developers ~1 week to ask questions reguarding this PR and after that, we will merge this PR.
ref: https://github.com/Shopify/dependency-analyzer/issues/1043.
For questions, contact #proj-github-actions-patching.