build: move GitHub actions to versions allowed by prodsec #17238
Conversation
The `backspace/ember-asset-size` action we're using is unmaintained and has a bunch of vulns in it, so it won't pass security screening (this is a NodeJS action so it has piles of dependencies, 99% of which won't be in use but fails automated screening anyways). Move this to the upstream version. The `machine-learning-apps/pr-comment` action also presents a problem for the ProdSec security screening because it's archived and also runs an external Docker image. Move this to a likely-ok maintained action for now, until we can spare some time to remove this in lieu of something more reasonable that isn't a GitHub action.
Ember Test Audit comparison
|
Also, we have this fork too, https://github.com/backspace/ember-test-audit which is a fork of https://github.com/DingoEatingFuzz/ember-test-audit. It looks like @DingoEatingFuzz's version is further along. Should we switch to that as well? |
|
At a glance yeah I think using @DingoEatingFuzz 's ember-test-audit is the right move (Michael, please let us know if you think otherwise!) My (very limited!) understanding was that GH Actions run in the PR in which they're being added, so also surprised that asset-size didn't run. But we can revisit that later if it doesn't materialize in future PRs. |
Sorry, I mixed up I'm going to update https://github.com/hashicorp/security-tsccr/pull/428 with the resulting changes, and then after that's merged I'll update this PR with the pinned SHAs. |
|
https://github.com/hashicorp/security-tsccr/pull/428 has been merged and I've pinned all workflows. Once CI is green I'll merge and backport this. |
The file path in the TSCCR repo for the `returntocorp/semgrep` action was incorrect, so the pinning tool was not able to find the correct entry and it was not pinned in #17238. The repository is fixed in hashicorp/security-tsccr#431
The file path in the TSCCR repo for the `returntocorp/semgrep` action was incorrect, so the pinning tool was not able to find the correct entry and it was not pinned in #17238. The repository is fixed in hashicorp/security-tsccr#431
tgross
added
backport/1.3.x
|
Despite the very confusing PRs linked-to above, this was in fact backported to 1.3.x. |
The file path in the TSCCR repo for the `returntocorp/semgrep` action was incorrect, so the pinning tool was not able to find the correct entry and it was not pinned in #17238. The repository is fixed in hashicorp/security-tsccr#431
The
backspace/ember-asset-sizeaction we're using is unmaintained and has a bunch of vulns in it, so it won't pass security screening (this is a NodeJS action so it has piles of dependencies, 99% of which won't be in use but fails automated screening anyways). Move this to the upstream version.The
machine-learning-apps/pr-commentaction also presents a problem for the ProdSec security screening because it's archived and also runs an external Docker image. Move this to a likely-ok maintained action for now, until we can spare some time to remove this in lieu of something more reasonable that isn't a GitHub action.Once this is tested, I'll then have to follow up in https://github.com/hashicorp/security-tsccr/pull/428 to pin the SHA, and then I'll have to follow-up once that other PR is merged to pin the SHAs here.