Hi, I'd like to suggest the ffms2 project to hash pin the actions on GitHub workflows. It seems that only the actions/checkout@v2 would be affected. Although it is a GitHub-owned Action, it is still a open source project and can be exposed to the same risks a open source project is.
Benefits of hash pinning:
Improve security by ensuring that only trusted code is used.
Increase reliability by preventing unexpected changes from breaking builds.
Prevents tag renaming attacks (whereby an attacker creates a malicious version and uses an old version tag you are link to—v2.1.3 for example).
Avoid blind updates to malicious versions, providing time for the vulnerability to be found and fixed before you even be notified about the new version.
Together with hash pinning it is good to adopt a dependency update tool such as dependabot and renovatebot that helps on identifying new versions and creating PRs to upgrade them.
You can help mitigate this risk by following these good practices:
Pin actions to a full length commit SHA
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Let me know if a PR would be welcome and I'll submit it ASAP.
Additional Context
Patch Version pinning (@v2.1.3) instead of Major Version pinning (@v2) already provides some of the benefits above except for preventing tag renaming attacks and, by extension, ensuring that only trusted code is used. To prevent this, GitHub were working on making action's releases immutable, which would make Patch Version pinning enough, but this was deprioritized since the layoffs and is now planned for "some time in the future".
Hi, I'd like to suggest the ffms2 project to hash pin the actions on GitHub workflows. It seems that only the actions/checkout@v2 would be affected. Although it is a GitHub-owned Action, it is still a open source project and can be exposed to the same risks a open source project is.
Benefits of hash pinning:
Together with hash pinning it is good to adopt a dependency update tool such as dependabot and renovatebot that helps on identifying new versions and creating PRs to upgrade them.
This practice is recommended by both the OpenSSF Scorecard and the GitHub itself.
Let me know if a PR would be welcome and I'll submit it ASAP.
Additional Context
Patch Version pinning (@v2.1.3) instead of Major Version pinning (@v2) already provides some of the benefits above except for preventing tag renaming attacks and, by extension, ensuring that only trusted code is used. To prevent this, GitHub were working on making action's releases immutable, which would make Patch Version pinning enough, but this was deprioritized since the layoffs and is now planned for "some time in the future".
That's why, by now, hash pinning is still needed.