Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reference SHAs instead of refs for external GitHub Actions in ".workflows" #6

Open
Vadorequest opened this issue Dec 17, 2020 · 1 comment
Open

Reference SHAs instead of refs for external GitHub Actions in ".workflows" #6

Vadorequest opened this issue Dec 17, 2020 · 1 comment

Comments

@Vadorequest
Copy link
Member

Is your feature request related to a problem? Please describe.
It's unsafe to reference refs, it's safer to references SHAs, especially if we provide Secrets or other sensitive information.

Describe the solution you'd like
We might use something like https://github.com/mheap/pin-github-action and have scripts that run it against our workflows files. And automate it somehow, so that it is enforced.

Describe alternatives you've considered
Doing it manually. Not great DX.

Additional context
https://michaelheap.com/improve-your-github-actions-security/
@Vadorequest
Copy link
Member Author

Use https://github.com/marketplace/actions/ensure-sha-pinned-actions for enforcing rule is applied automatically. See https://michaelheap.com/ensure-github-actions-pinned-sha/

@Vadorequest Vadorequest changed the title Reference SHAs instead of refs for external actions Reference SHAs instead of refs for external GitHub Actions in ".workflows" Jan 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Vadorequest