Pin GitHub Action Git SHA (Digest Pinning)

[HonkingGoose]

What would you like Renovate to be able to do?

Pin a GitHub action to a specific Git SHA (digest pinning).

Did you already have any implementation ideas?

Are there any workarounds or alternative ideas you've tried to avoid needing this feature?

Is this a feature you'd be interested in implementing yourself?

References

See #7516 for related discussion.

[HonkingGoose]

Maybe we should bump this to priority-2-important, as we can stop a lot of bad stuff by allowing Renovate users to pin their GitHub Actions to a specific Git SHA.

I found documentation from GitHub explaining why you need to be careful with GitHub actions, and why pinning to a specific SHA is safer than using a tag. I've copy/pasted the most relevant parts:

The individual jobs in a workflow can interact with (and compromise) other jobs. For example, a job querying the environment variables used by a later job, writing files to a shared directory that a later job processes, or even more directly by interacting with the Docker socket and inspecting other running containers and executing commands in them.

This means that a compromise of a single action within a workflow can be very significant, as that compromised action would have access to all secrets configured on your repository, and can use the GITHUB_TOKEN to write to the repository. Consequently, there is significant risk in sourcing actions from third-party repositories on GitHub. You can help mitigate this risk by following these good practices:

Pin actions to a full length commit SHA
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

[snip]

Pin actions to a tag only if you trust the creator
Although pinning to a commit SHA is the most secure option, specifying a tag is more convenient and is widely used. If you’d like to specify a tag, then be sure that you trust the action's creators. The ‘Verified creator’ badge on GitHub Marketplace is a useful signal, as it indicates that the action was written by a team whose identity has been verified by GitHub. Note that there is risk to this approach even if you trust the author, because a tag can be moved or deleted if a bad actor gains access to the repository storing the action.

Source for quotes: GitHub docs, security hardening for GitHub actions, using third party actions.

I'll let the Renovate maintainers decide on what priority they want to use for this issue, now they have this extra information.

[jokay]

Would be great to have this one 👍

Especially if you see news like this and this 🧐

[renovate-release]

🎉 This issue has been resolved in version 25.56.0 🎉

The release is available on:

• GitHub release
• 25.56.0

Your semantic-release bot 📦🚀