chore: use fixed hashes for the dependency actions #79
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Did a little research into whether or not this is considered a best practice. The answer I'm getting is, overwhelmingly, yes - it was renovatebot/renovate#7537 that ended up convincing me. Thanks for the contribution @erikwrede, will merge once I've verified the SHAs! |
|
Released in v1.4.7 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Thanks for this great action!
Since the action is dependent on some other actions (
JamesIves/github-pages-deploy-action@v4,marocchino/sticky-pull-request-comment@v2), it may be succeptible to some supply chain attacks, see here: https://www.rwx.com/blog/github-actions-is-vulnerable-to-supply-chain-attacksSome malicious actor could take over the mentioned dependencies and change the v2 release to any arbitrary release without anyone noticing. That's why it's a good practice to pin your actions and their dependencies (some orgs even enforce this).
When pinning this action to a specific commit in the repo settings, you still need to pin the dependencies to
v2/v4and cannot set them to a specific commit since the action definition requires versions.This PR mitigates the supply chain attack risk by pinning all dependencies to a specific version. I understand that this slightly increases maintenance efforts, as minor- and patch- updates to the upstream actions need to be done by hand. However, I advocate that in the spirit of security, this change is useful. Please LMK your thougts.