Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for GH actions to prefer SHA pins #7913

Open
1 task done
ThiefMaster opened this issue Aug 28, 2023 · 2 comments
Open
1 task done

Add option for GH actions to prefer SHA pins #7913

ThiefMaster opened this issue Aug 28, 2023 · 2 comments
Labels
T: feature-request Requests for new features

Comments

@ThiefMaster
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Feature description

It's painful or requires 3rd party tools to convert a GitHub actions config file from tag/branch pins to the (more secure) SHA pins.

It would be nice if there was a setting in the dependabot config to prefer SHA pins. This would trigger a dependabot 'update' that replaces the named pins with SHA pins, and add a comment indicating the actual version as well.
@ThiefMaster ThiefMaster added the T: feature-request Requests for new features label Aug 28, 2023
@Swiftb0y Swiftb0y mentioned this issue Sep 11, 2023
Merged
@HonkingGoose
Copy link
Contributor

HonkingGoose commented May 17, 2024
edited
Loading

Pin actions by default, to match GitHub's own recommendations

The GitHub Docs, Security Hardening for GitHub Actions, Using third-party actions recommends users:

  • Pin actions to a full length commit SHA

    Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Users may never read these docs, or forget to pin the actions manually, so that Dependabot can update the pins later.

Dependabot should default to pinning the GitHub Actions, and allow users to opt-out with a configuration toggle.

Here's how that could look:

  1. Dependabot opens a special "Pin actions PR" as preparation for later updates
  2. Dependabot will offer updates of pinned actions via the normal schedule/rules
  3. Users that do not want pinning can opt-out via some configuration option/toggle

Why Dependabot should default to pinning actions

@JamieMagee opened a PR that pins your Github Actions to the commit SHA:

If even the maintainers of Dependabot accidentally forgot to pin their actions, then others will likely forget too. I don't mean this in a bad way, or to shame you, or anything like that! 😉

Related issue

@boredland boredland mentioned this issue Oct 7, 2024
Merged
@ModeSevenIndustrialSolutions
Copy link

+1 for this requested feature; is this on the roadmap anywhere?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: feature-request Requests for new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ThiefMaster @HonkingGoose @ModeSevenIndustrialSolutions