update actions to full commit sha with semvar comment #23211
Conversation
This comment was marked as outdated.
This comment was marked as outdated.
Update all actions to full commit sha of latest tag to mitigate supply chain attacks. This was done using renovate but dependabot should be able to maintain the updates in the same format once it's converted.
userdocs
force-pushed
the
actions-full-sha
branch
from
aaca60c to
5759bb1
Compare
|
I thought about it but I don't think it is worth it. I'm not going to meticulously check every hash is correct every time it updates (monthly). Even hash update it is done automatically by bot, some human still has to verify it, isn't? And it won't help if the upstream repo already contains undetected malicious commits or leaked write access. This PR only guards against branch/tag changes which is not the main problem for a compromised repo. |
|
I think full hash of full semvar would be a requirement of https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases So if people started doing that, an existing tag or release cannot be modified. You can maybe just sit on the pr until immutable-releases are out and see if it works for that? |
Update all actions to full commit sha of latest tag to mitigate supply chain attacks. This was done using renovate but dependabot should be able to maintain the updates in the same format once it's converted.
It is advised by github https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions to do this.
All actions are updated to latest release tag sha with comment of semvar version