Pin actions to a full length commit SHA

[naveensrinivasan]

Motivation for this change

Pinning an action to a full length commit SHA is currently the only way to use an action as
an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a
backdoor to the action's repository, as they would need to generate a SHA-1 collision for
a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• 21.11 Release Notes (or backporting 21.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[zowoq]

Please undo all of the formatting changes.

[zowoq]

Is this compatible with dependabot? We have it enabled in a fork of this repo and forward the PRs here.

[naveensrinivasan]

Is this compatible with dependabot? We have it enabled in a fork of this repo and forward the PRs here.

Yes it is compatible.

[naveensrinivasan]

Please undo all of the formatting changes.

Will do that.

[zowoq]

Is this compatible with dependabot? We have it enabled in a fork of this repo and forward the PRs here.

Yes it is compatible.

Is that documented somewhere?

[naveensrinivasan]

Is this compatible with dependabot? We have it enabled in a fork of this repo and forward the PRs here.

Yes it is compatible.

Is that documented somewhere?

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot

[naveensrinivasan]

Please undo all of the formatting changes.

I have undone the formatting changes.

[SuperSandro2000]

as they would need to generate a SHA-1 collision for a valid Git object payload.

At least with short shas this is not possible on GitHub and you get a 404 instead the collisioned hash.

[SuperSandro2000]

How many updates will cause this? If we blindly merge all dependabot updates we gain nothing than more work for us. Also I think at least for GitHubs own actions we don't want to pin them to get important updates they might do on their side to reflect API changes etc.

[Mic92]

If our threat model is that we don't trust certain actions, should we than not have those action at all?
I don't think it is feasible to fully review the code of all extensions on every update - I don't know how sha refs would improve this aspect. I think we could improve security if we pin to patch level and than monitor if tags changes without a patch level bump.

[naveensrinivasan]

How many updates will cause this? If we blindly merge all dependabot updates we gain nothing than more work for us. Also I think at least for GitHubs own actions we don't want to pin them to get important updates they might do on their side to reflect API changes etc.

How many updates will cause this?
I agree with the concern about updates. The other side is you are oblivious to critical updates. Now it gives you the information you can act on whether or not to.

Why don't you want to get the GitHub-owned actions?
Ideally, it shouldn't change. But what happens if they get compromised, this will protect that case.

[mohe2015]

I agree that the github actions should probably not be pinned.

I like pinning the other actions just to protect from malicious updates. I agree that that protection is mostly limited to somebody pointing out an update is malicious before we update if we don't review the diff. Reviewing the diff may still be easier than doing a full review. Although most of the actions here seem to be fairly small in scope so maybe a review isn't that hard.

Also https://github.com/actions/github-script may be an option to replace the actions that just comment or do other super basic stuff.

In general I don't like using many actions from different repos in my own projects but it's also hard to have nice CI and mostly trusted actions.

[stale]

I marked this as stale due to inactivity. → More info

[SuperSandro2000]

Closing because of feedback.