Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure updates for GitHub Actions (and more) #2835

Closed
TriplEight opened this issue Dec 9, 2020 · 9 comments
Closed

Secure updates for GitHub Actions (and more) #2835

TriplEight opened this issue Dec 9, 2020 · 9 comments
Labels
T: feature-request Requests for new features

Comments

@TriplEight
Copy link

We've decided to follow the GitHub's example and best practice: updating the Actions we're using in a less blind but still somehow automated manner. That's for security purposes.

Can Dependabot currently help with something from this list?

@TriplEight TriplEight added the T: feature-request Requests for new features label Dec 9, 2020
@willnorris
Copy link

willnorris commented Aug 19, 2021

We similarly use commit SHA for actions in google/go-github, and dependabot now seems to support that (using SHAs in updates): google/go-github#2049

One additional thing we do, however, is to leave a comment for what release that SHA corresponds to (similar to what github/docs is doing in their allowlist). For example:

steps:
    uses: styfle/cancel-workflow-action@89f242ee29e10c53a841bfe71cc0ce7b2f065abc #0.9.0

It would be really nice if dependabot supported that and would bump the version in the comment. For now, we're just doing it manually in the PR (like in the example above)

@timmeinerzhagen
Copy link

Would love to see sha comment adjustments in Dependabot natively.

For the meantime I wrote an action timmeinerzhagen/dependabot-sha-comment-action that does the trick for me

dfarrell07 added a commit to dfarrell07/submariner that referenced this issue Mar 23, 2022
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
dfarrell07 added a commit to dfarrell07/submariner that referenced this issue Mar 23, 2022
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until submariner-io#1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
dfarrell07 added a commit to submariner-io/submariner that referenced this issue Mar 28, 2022
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until #1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
astoycos pushed a commit to astoycos/submariner that referenced this issue Apr 14, 2022
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until submariner-io#1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
astoycos pushed a commit to astoycos/submariner that referenced this issue Apr 14, 2022
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until submariner-io#1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
anfredette pushed a commit to submariner-io/submariner that referenced this issue Apr 15, 2022
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until #1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@npalm
Copy link

npalm commented May 18, 2022

An alternative to this limitation of dependabot could be https://github.com/sethvargo/ratchet

@npalm
Copy link

npalm commented May 18, 2022

Any updates on plans or roadmap of dependabot to support updating based on SHA instead of semver?

@TriplEight
Copy link
Author

@npalm

Any updates on plans or roadmap of dependabot to support updating based on SHA instead of semver?

Evidently, it does, but as @willnorris mentioned, for the readability a human should update comment with an actual version.

@kuhnroyal
Copy link

From what I can tell, dependabot recently started updating #x.y.z comments behind SHA pinned versions.

@willnorris
Copy link

Oh, that would be fantastic if that's the case! Do you have an example?

@kuhnroyal
Copy link

Only in internal repositories.
Bildschirmfoto 2022-11-09 um 17 04 06

@deivid-rodriguez
Copy link
Contributor

Yes, this was recently contributed by the community! 🎉

Closing this since it's now fixed!

novad03 pushed a commit to novad03/k8s-submariner that referenced this issue Nov 25, 2023
This is a bit of a test of Dependabot's support for managing SHA-based
versions of GitHub Actions.

In the original press release about Dependabot's support for GHAs,
they say:

> Dependabot creates pull requests that update the action to the latest
released tag (e.g., v2), regardless of if you’re currently on a release
tag, a pre-release tag, or a specific hash.

github.blog/2020-06-25-dependabot-now-updates-your-actions-workflows/

But I think SHA-based updates were added as a part of:

dependabot/dependabot-core#2835

I see examples where Dependabot apparently works with SHAs:

https://github.com/systemd/systemd/pull/22638/files
https://github.com/google/go-github/pull/2049/files

And those projects are using config like is proposed here:

https://github.com/systemd/systemd/blob/main/.github/dependabot.yml#L5
https://github.com/google/go-github/blob/master/.github/dependabot.yml#L15

As always, we should be careful about taking updates from third parties
and review theses PRs to update GHAs carefully. Especially until #1740
reduces the permissions of each job to the minimum required.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T: feature-request Requests for new features
Projects
None yet
Development

No branches or pull requests

6 participants