Ideas to improve effectiveness of pinned Actions

[varunsh-coder]

Pinning of Actions to a commit SHA is a best practice as per GitHub Actions hardening guide and is a check in Scorecards.

I have observed that developers use Dependabot/ Renovatebot/ similar tools to automatically update their dependencies. As a result, I have started to wonder if there is need to improve the effectiveness of pinned Actions.

.e.g if an attacker compromises GitHub Account of an Action maintainer, or somehow gets write access to the Action repo, the attacker can release a new version of the Action with malicious code. Now, since most developers are using auto-update for dependencies, they will get a PR with the new version. My hypothesis is that most developers do not look at the changes made in the Action, and just approve the PR.

As a result, pinning of the Action leads to this cycle of Action being updated and then PRs created in all repos using that Action. But is this cycle actually reducing risk? How can this cycle be made better, so that if a new version of an Action is actually malicious, that developers don't approve the PR for that change.

Please let me know if there are questions around my explanation.