Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use SHA-1 hashes instead of mutable refs for GH action dependencies #3402

Closed
daniel-beck opened this issue Feb 24, 2023 · 6 comments
Closed

Use SHA-1 hashes instead of mutable refs for GH action dependencies #3402

daniel-beck opened this issue Feb 24, 2023 · 6 comments
Assignees
@lemeurherve
Labels
github github-action
Milestone
infra-team-sync-2...

Comments

@daniel-beck
Copy link

Service(s)

GitHub

Summary

Looking at #3355 and some of the repos linked there, none of the actions use a SHA-1 reference to tags.

As a security best practice, SHA-1 references instead of tags (or branches) should be used, to prevent upstream from replacing the tag introducing behavior changes, in the worst case malicious behavior. I think it's safe to continue using these tags for action/… actions or our own, but third party actions should be handled more strictly.

See also jenkinsci/jenkins#7113 which brought this problem up in the context of actions used in jenkinsci/jenkins.

Reproduction steps

No response
@daniel-beck daniel-beck added the triage Incoming issues that need review label Feb 24, 2023
@dduportal
Copy link
Contributor

Looks like it is supported by dependabot: dependabot/dependabot-core#2835

@lemeurherve lemeurherve self-assigned this Feb 24, 2023
@lemeurherve lemeurherve added github-action and removed triage Incoming issues that need review labels Feb 24, 2023
This was referenced Feb 24, 2023
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@lemeurherve
Copy link
Member

lemeurherve commented Feb 24, 2023
edited
Loading

@dduportal thanks for the link, it's where I found out about https://github.com/sethvargo/ratchet, which in combination with https://github.com/lindell/multi-gitter allowed me to quickly pin all GitHub actions.

@daniel-beck thanks for the suggestion, let me know if you want me to do the same on some @jenkinsci repositories, it shouldn't take me long to do it now that I have a working script 😉

This was referenced Feb 24, 2023
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Closed
Merged
Merged
Merged
Closed
Merged
@daniel-beck
Copy link
Author

daniel-beck commented Feb 24, 2023
edited
Loading

FWIW my preference is to keep jenkins-infra/, github/, and actions/ org stuff as mutable refs given their very low risk (IMO). If you disagree, could you explain why? Thanks.

@lemeurherve
Copy link
Member

Yes sorry about that, read too fast your issue first, I reviewed my script and my pull requests to keep actions/* GHA with a version instead of a SHA-1.

We (infra team) agree with you, I'll rework/review the pull requests to also keep the jenkins-infra/* and github/* one.

@lemeurherve
Copy link
Member

lemeurherve commented Feb 24, 2023
edited
Loading

For the record, there are currently 43 distinct GitHub actions used in @jenkins-infra repositories,

List of unique GHA used: 
actions-cool/issues-similarity-analysis
actions/checkout
actions/github-script
actions/setup-go
actions/setup-java
actions/setup-node
actions/setup-python
actions/upload-artifact
andymckay/labeler
aws-actions/configure-aws-credentials
azure/setup-helm
crowdin/github-action
docker://jnorwood/helm-docs:latest
docker/build-push-action
docker/login-action
docker/setup-buildx-action
docker/setup-qemu-action
gaurav-nelson/github-action-markdown-link-check
github/codeql-action/analyze
github/codeql-action/autobuild
github/codeql-action/init
github/codeql-action/upload-sarif
golangci/golangci-lint-action
goreleaser/goreleaser-action
helm/chart-releaser-action
jenkins-infra/fetch-codeql-action
jenkins-infra/interesting-category-action
jenkins-infra/jenkins-maven-cd-action
jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml
jenkins-infra/jenkins-version
jenkins-infra/uc
jenkins-infra/verify-ci-status-action
jenschelkopf/issue-label-notification-action
klakegg/actions-hugo
maxkomarychev/pr-updater-action
mikefarah/yq
ossf/scorecard-action
peter-evans/create-pull-request
release-drafter/release-drafter
stefanbuck/github-issue-parser
tibdex/github-app-token
tspascoal/get-user-teams-membership
updatecli/updatecli-action

And before these pull requests, 71 actions with different versions,

Actions with all their versions: 
actions-cool/issues-similarity-analysis@v1
actions-cool/issues-similarity-analysis@v1.0.0
actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
actions/checkout@v2
actions/checkout@v3
actions/checkout@v3.3.0
actions/github-script@v6
actions/setup-go@v2
actions/setup-go@v3
actions/setup-java@v3
actions/setup-node@v2
actions/setup-node@v3
actions/setup-python@v2
actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8
actions/upload-artifact@v3
andymckay/labeler@master
aws-actions/configure-aws-credentials@v1-node16
azure/setup-helm@v1
azure/setup-helm@v3
crowdin/github-action@1.5.2
docker://jnorwood/helm-docs:latest
docker/build-push-action@v2
docker/build-push-action@v4
docker/login-action@v1
docker/login-action@v2
docker/setup-buildx-action@v1
docker/setup-buildx-action@v2
docker/setup-qemu-action@v1
docker/setup-qemu-action@v2
gaurav-nelson/github-action-markdown-link-check@v1
github/codeql-action/analyze@v1
github/codeql-action/analyze@v2
github/codeql-action/autobuild@v1
github/codeql-action/autobuild@v2
github/codeql-action/init@v1
github/codeql-action/init@v2
github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100
github/codeql-action/upload-sarif@v2
golangci/golangci-lint-action@v2
golangci/golangci-lint-action@v3
golangci/golangci-lint-action@v3.1.0
goreleaser/goreleaser-action@v2.4.1
goreleaser/goreleaser-action@v2.9.1
goreleaser/goreleaser-action@v4.2.0
helm/chart-releaser-action@v1.2.0
helm/chart-releaser-action@v1.5.0
jenkins-infra/fetch-codeql-action@v1
jenkins-infra/interesting-category-action@v1.2.1
jenkins-infra/jenkins-maven-cd-action@v1.3.3
jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2
jenkins-infra/jenkins-version@0.3.1
jenkins-infra/uc@0.1.4
jenkins-infra/verify-ci-status-action@v1.2.2
jenschelkopf/issue-label-notification-action@1.3
klakegg/actions-hugo@1.0.0
maxkomarychev/pr-updater-action@v1.0.0
mikefarah/yq@v4.6.0
ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d
peter-evans/create-pull-request@v3
peter-evans/create-pull-request@v4
release-drafter/release-drafter@v5
release-drafter/release-drafter@v5.22.0
stefanbuck/github-issue-parser@v3
tibdex/github-app-token@v1
tibdex/github-app-token@v1.5
tibdex/github-app-token@v1.8
tspascoal/get-user-teams-membership@v2
updatecli/updatecli-action@v1.19.0
updatecli/updatecli-action@v1.32.0
updatecli/updatecli-action@v2
updatecli/updatecli-action@v2.21.0

@lemeurherve lemeurherve mentioned this issue Feb 24, 2023
Merged
lemeurherve added a commit to jenkins-infra/jenkins-io-components that referenced this issue Feb 24, 2023
@lemeurherve
chore: pin GitHub actions with their SHA-1 instead of their version n…
a4e2628 
…umber (#69)

Ref: jenkins-infra/helpdesk#3402
lemeurherve pushed a commit to lemeurherve/helpdesk that referenced this issue Feb 24, 2023
@lemeurherveCB
feat: add script used for jenkins-infra#3402 to pin 3rd party GitHub …
32d60ea 
…actions with their SHA-1 instead of their version number
lemeurherve pushed a commit to lemeurherve/helpdesk that referenced this issue Feb 24, 2023
@lemeurherveCB
feat: add script used for jenkins-infra#3402 to pin 3rd party GitHub …
c03b94e 
…actions with their SHA-1 instead of their version number
@lemeurherve lemeurherve mentioned this issue Feb 24, 2023
Merged
@lemeurherve
Copy link
Member

Almost all pull requests taken in account, closing this issue.

For the record here is the script I've used: #3408

lemeurherve added a commit that referenced this issue Feb 24, 2023
@lemeurherve
feat: add script used for #3402 to pin 3rd party GitHub actions with …
0cb0dbc 
…their SHA-1 instead of their version number (#3408)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lemeurherve lemeurherve

Labels
github github-action
Projects
None yet
Milestone
infra-team-sync-2023-02-28
Development

No branches or pull requests
3 participants
@dduportal @daniel-beck @lemeurherve