Add helpers:pinGitHubActionDigests to config:base

[HonkingGoose]

What would you like Renovate to be able to do?

It's a good idea to pin your GitHub Actions to a SHA1 hash, to prevent a malicious attacker from changing the Git tags, and pointing to a corrupted version of the action. This is a strong recommendation for third-party actions. Might not be so important for first-party actions.

Maybe it's a good idea to add helpers:pinGitHubActionDigests preset to our config:base preset, so that people follow this best-practice automatically? See the Renovate docs, helper presets, helpers:pinGitHubActionDigests to learn more about the preset.

Relevant quote from the GitHub Docs, security hardening for GitHub Actions, using third party actions:

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

If you have any ideas on how this should be implemented, please tell us here.

1. Add helpers:pinGitHubActionDigests to config:base
2. Create config migration
3. Confirm tests still work

Is this a feature you are interested in implementing yourself?

No

[rarkins]

We try not to be too opinionated with config:base. Is it possible to exclude GitHub actions and call it :pinThirdPartyActionDigests?

[HonkingGoose]

Is it possible to exclude GitHub actions and call it :pinThirdPartyActionDigests?

I don't think this should replace the existing :pinGitHubActionDigests but we could/should rename it to pinAllGithubActionDigests to separate it from your new digest preset. 😉

We could make a new helper preset :pinThirdPartyActionDigests that excludes github/ action domains from getting pinned, but matches all other actions that are "third-party", so anything not from GitHub. This assumes that people always trust whatever comes out of the github/ domain organization though. But people would at least benefit from having their third-party actions pinned to a full commit hash if we include :pinThirdPartyActionDigests in config:base. I think this matching could be done by a simple rule like: IF GitHub actions domain matches github/** skip, ELSE pin to full commit SHA.

[rarkins]

config:base is widely used - as are github actions now - and we want to make sure we don't get too opinionated and have lots of people trying to undo the default. We agree it's best practice, but we exist to serve our users, not boss them around too much..

So at most I think I'd want to default it for non-github actions only, but I'm still not even convinced of that. @JamieMagee what's your opinion?

[JamieMagee]

I like the idea, and it's a best security practice, but I agree that we don't want to be too opinionated about the base preset. We did receive some strong feedback around the dashboard becoming default 😅 I really wish we could A/B test these sort of sweeping default changes 🤔

As for 1st party (GitHub) vs 3rd party (non-GitHub) actions, they should be treated the same IMO. It falls in the category of zero trust.

[HonkingGoose]

How about we create a config:opinionated preset? People who don't want to be bossed around can use config:base and people who want a more opinionated preset can use config:opinionated.

config:opinionated could have the helpers:pinGitHubActionDigests preset enabled for example.

If we don't want to add a new preset, how about we add a new section to the docs somewhere suitable, and explain that it's a good idea to pin all your actions? That way we surface the best-practice, without forcing it on our users via the config:base or config:opinionated presets.

[rarkins]

BTW I was already thinking that config:base is somewhat misnamed. Even though we try not to keep it too opinionated, it still is. I had been thinking to rename it to config:recommended soon, so people understand from the name it's subjective/opinionated. A challenge is that config:recommended and config:opinionated then is hard to distinguish too easily from the names alone.

[HonkingGoose]

How about config:best-practice, would that give the right idea? Could even go with config:renovates-best-practice to be extra clear who is making the recommendations... 😄

[HonkingGoose]

Would config:strict be a good name for a preset that covers all our recommendations and best practices? We could put these things in a config:strict

• Pin GitHub actions to SHA
• Pin Docker Digests to SHA
• Pin JavaScript dependencies
• Other critical stuff that I'm forgetting

---

Edit: I've created a new issue to track the config:strict/config:best-practice idea, see:

• Create config:best-practices preset #16100

[rarkins]

I like config:best-practice

[HonkingGoose]

I think we now want to include helpers:pinGithubActionDigest in a new config:best-practice preset instead?

Maybe we can close this issue as not planned?