Skip to content

Pin versions of GitHub Actions to full commit hash#3

Open
Dan P (cuotos) wants to merge 1 commit into
mainfrom
pin-github-actions
Open

Pin versions of GitHub Actions to full commit hash#3
Dan P (cuotos) wants to merge 1 commit into
mainfrom
pin-github-actions

Conversation

@cuotos

Copy link
Copy Markdown

What?

This PR pins versions of GitHub Actions to full commit hash by pinact.
In general, this PR doesn't change the behavior of the workflows, so you can merge this safely.

Why?

A while ago, the popular GitHub Action tj-actions/changed-files action was compromised.

All tags were tampered and they pointed to a revision with malicious code.

The issue was solved, but similar issues could happen again.
To avoid this kind of issues, we should pin versions of GitHub Actions.
This is a common practice of GitHub Actions.

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pin actions to a full length commit SHA
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

How was this pull request created?

This pull request was created by pinact and multi-gitter.

Deadling

We will be turning on a global setting that will ENFORCE that all actions can only use pinned versions, if others are in use, the workflow will fail

Contact

If you have any question, please ask at the Slack channel #tech-platform

## What?

This PR pins versions of GitHub Actions to full commit hash by pinact.
In general, this PR doesn't change the behavior of the workflows, so you can merge this safely.

## Why?

A while ago, the popular GitHub Action tj-actions/changed-files action was compromised.

- https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
- https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

All tags were tampered and they pointed to a revision with malicious code.

The issue was solved, but similar issues could happen again.
To avoid this kind of issues, we should pin versions of GitHub Actions.
This is a common practice of GitHub Actions.

https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

> Pin actions to a full length commit SHA
> Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
> Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
> When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

## How was this pull request created?

This pull request was created by [pinact](https://github.com/suzuki-shunsuke/pinact) and [multi-gitter](https://github.com/lindell/multi-gitter).

## Deadling

We will be turning on a global setting that will ENFORCE that all actions can only use pinned versions, if others are in use, the workflow will fail
## Contact

If you have any question, please ask at the Slack channel #tech-platform
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant