Why you should pin your GitHub Actions by commit-hash

[utterances-bot]

Why you should pin your GitHub Actions by commit-hash

A tech blog focused on Application Performance and Software Architecture. The Front-end is just JSON over here.

https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash

[dreua]

Thank you for the article! It makes sense and maybe should become the default. Are there any known attacks using this method?

[RafaelGSS]

Hi @dreua! The attack vector is the supply chain attack one mentioned in the blog post

[TWiStErRob]

@RafaelGSS it would be interesting to know if there was any known real incident using this attack vector. I think that's what dreua wanted to know as well.

[dreua]

What I wonder additionally is whether it is possible to get automatic updates with pinned hashes. Dependabot is really great with checking your used actions and creating PRs for updates. Not sure if it us a worthy trade to use pinned outdated Actions but never get them updated. (Assuming you can't get both and have someone or some bot to help with updating the pins.)

[RafaelGSS]

@RafaelGSS it would be interesting to know if there was any known real incident using this attack vector. I think that's what dreua wanted to know as well.

I know a few real incidents, but I don't have references to share them.

What I wonder additionally is whether it is possible to get automatic updates with pinned hashes. Dependabot is really great with checking your used actions and creating PRs for updates

Dependabot automatically updates it. See nodejs/node#51334

[TWiStErRob]

Renovate also does it: detekt/detekt@fde578d
Config: https://docs.renovatebot.com/presets-config/#configbest-practices