Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lock third-party actions #118

Merged
merged 1 commit into from
Jun 18, 2024
Merged

Lock third-party actions #118

merged 1 commit into from
Jun 18, 2024

Conversation

arianvp
Copy link
Contributor

@arianvp arianvp commented Jun 18, 2024

Description

A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags.

This PR changes all third party actions to be explicitly locked.

Dependabot will still work and update these hashes for you

I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues.

Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh

e.g. see ossf/scorecard#2189

Checklist
  • Tested functionality against a test repository (see "How to test changes")
  • Added or updated relevant documentation (leave unchecked if not applicable)

A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags.

This PR changes all third party actions to be explicitly locked.

Dependabot will still work and update these hashes for you


I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues.

Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh

e.g. see ossf/scorecard#2189
Copy link
Member

@cole-h cole-h left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I didn't know dependabot would be fine updating these hashes.

I'll look into integrating the scorecard separately.

@cole-h cole-h merged commit af9a980 into DeterminateSystems:main Jun 18, 2024
2 checks passed
dc-tec referenced this pull request in dc-tec/nixvim Aug 7, 2024
#19)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[DeterminateSystems/update-flake-lock](https://github.com/DeterminateSystems/update-flake-lock)
| action | major | `v22` -> `v23` |

---

### Release Notes

<details>
<summary>DeterminateSystems/update-flake-lock
(DeterminateSystems/update-flake-lock)</summary>

###
[`v23`](https://github.com/DeterminateSystems/update-flake-lock/releases/tag/v23)

[Compare
Source](https://github.com/DeterminateSystems/update-flake-lock/compare/v22...v23)

#### What's Changed

- Lock third-party actions by
[@&#8203;arianvp](https://github.com/arianvp) in
[https://github.com/DeterminateSystems/update-flake-lock/pull/118](https://github.com/DeterminateSystems/update-flake-lock/pull/118)
- Add instructions for new fine grained GitHub PAT by
[@&#8203;ibizaman](https://github.com/ibizaman) in
[https://github.com/DeterminateSystems/update-flake-lock/pull/92](https://github.com/DeterminateSystems/update-flake-lock/pull/92)
- Fixup support for Nix 2.23.0 and later by
[@&#8203;cole-h](https://github.com/cole-h) in
[https://github.com/DeterminateSystems/update-flake-lock/pull/121](https://github.com/DeterminateSystems/update-flake-lock/pull/121)

#### New Contributors

- [@&#8203;arianvp](https://github.com/arianvp) made their first
contribution in
[https://github.com/DeterminateSystems/update-flake-lock/pull/118](https://github.com/DeterminateSystems/update-flake-lock/pull/118)
- [@&#8203;ibizaman](https://github.com/ibizaman) made their first
contribution in
[https://github.com/DeterminateSystems/update-flake-lock/pull/92](https://github.com/DeterminateSystems/update-flake-lock/pull/92)

**Full Changelog**:
DeterminateSystems/update-flake-lock@v22...v23

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job log](https://developer.mend.io/github/dc-tec/nixvim).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZSJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants