For actions that are pinned-by-hash, bump the human readable version number in the code comment

[ChrisCarini]

Hello!

As good security practice and guided by the code scanning alert for 'Pinned-Dependencies' from the ossf/scorecard project, users are encouraged to pin GitHub workflow actions by hash. The example provided by the scorecard repoincludes a comment following the action+pinned-hash, example below:

     - name: Clone the code
       uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4

Subsequent updates by dependabot do not bump the version in the comment, leading to confusion and incorrect information. An example of this can be found here: ChrisCarini/environment-variable-settings-summary-intellij-plugin#36

Below is a before & after example of the above linked PR

Before

After

Summary

Dependabot updated ossf/scorecard-action from version v1.0.1 to v1.0.2.

In the "Before", the hash was updated correctly, however the trailing comment with the tag version, was not.

Hash	Tag Version
e3e75cf2ffbf9364bbff86cdbdf52b23176fe492	v1.0.1
c8416b0b2bf627c349ca92fc8e3de51a64b005cf	v1.0.2

I believe this change would help GitHub workflow owners to have a better security posture w.r.t. using hash-pinned GitHugb action dependencies, while also having improved ergonomics to be able to quickly verify they are on the correct version.

This idea shares similar sentiment of #3699

(I would consider trying to make a code change for this, however I lack expertise in Ruby and have thus far struggled to get the project opened for development.)

[jeffwidman]

I think this is a great idea and we'd happily merge a PR if anyone wants to take a crack at it. Looking at the relevant code, I don't think it'd be that hard to implement.

A few design notes:

1. Another comment format we should support (from Update version comment when hashes are updated in pull requests #5314) is # pin @v2.4.0. Other variations are probably # @v2.4.0 etc. Or we could simply pick one and go with it... I doubt most users would complain after the initial migration.
2. Probably we should only bump this pin if it's present... although a part of me wonders if always appending it to SHAs might be both more useful and easier to implement/maintain??
3. It should only be modified if the actual version is a SHA... that avoids accidentally bumping random other comments if the actual version is already human readable.

[lucacome]

I want to pin the dependencies in our repos, but I'm kinda waiting for this feature to be implemented. It will make it much easier to maintain.

I was looking into StepSecurity to do the first pass in all the workflows and found step-security/secure-repo#1087. They removed the tag comment because dependabot doesn't support updating it.

I also wanted to point out that the OpenSSF action uses yet another format for the comment when you create their workflow

  - name: "Checkout code"
    uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0

not sure how popular this is...I think # v3.0.0 is more than enough and I'd be okay with dependabot overwriting the comment when updating the dependency.

[jeffwidman]

I just deployed this feature, many thanks to @jproberts for contributing the PR.

Many variations of version tags are supported, for examples see the unit tests:

dependabot-core/github_actions/spec/fixtures/workflow_files/pinned_sources_version_comments.yml

Lines 7 to 30 in b4112ce

	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # 2.1.0
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # @v2.1.0
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # pin @v2.1.0
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # tag=v2.1.0
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 #v2.1.0
	# The comment on the next line has a trailing tab. The version should still be updated.
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 #v2.1.0
	- uses: actions/checkout@01aecc # v2.1.0
	integration:
	- uses: actions/checkout@v2.1.0 # comments that include the version (v2.1.0) shouldn't be updated for non-SHA refs
	- uses: actions/checkout@01aecc#v2.1.0 # this shouldn't be updated, because the version is part of the ref, not a comment.
	# The version in the comment for the next action shouldn't be updated
	# because it refers to past behavior.
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # Versions older than v2.1.0 have a security vulnerability
	# The versions in the comment for the next action won't be updated.
	# The first version could be updated, but it's difficult to create
	# a heuristic that recognizes the first version as a version alias
	# for the SHA commit, and the second version as a concrete version
	# that shouldn't change. For simplicity, we don't update either.
	- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0 - Versions older than v2.1.0 have a security vulnerability

If you hit bugs please let us know.