search

aws-powertools / powertools-lambda-typescript

Powertools is a developer toolkit to implement Serverless best practices and increase developer velocity.
https://docs.powertools.aws.dev/lambda/typescript/latest/
MIT No Attribution
1.55k stars 133 forks source link

Maintenance: harden workflows by pinning 3rd party actions to full length SHA number #1025

Closed dreamorosi closed 1 year ago

dreamorosi commented 2 years ago

Problem statement

Workflows can use 3rd party actions. When specifying an action in a workflow you can use a version (i.e. actions/setup-node@v3) or specify a full length SHA number (i.e. peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305).

When using the first method two workflow executions could be using versions of a 3rd party action that correspond to different commits. This exposes the repository running the workflow to the risk of a bad actor adding a backdoor to the action's repository.

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate this risk, as they would need to generate a SHA-1 collision for a valid Git object payload.

Summary of the feature

Go through all existing workflows in this repo and pin all 3rd party actions to a specific full length SHA number.

Also, to avoid future oversights, add a workflow (see next section) that runs whenever a change is made under .github/workflows/* (the folder that contains the workflows ran by GitHub Actions and also only place where 3rd party actions can be defined/used).

As a maintainer, we should see the following error when non-compliant: 179009607-6cc0babb-5755-431c-9811-83635485d1a8

Code examples

See workflow used in the Powertools for Python repository here.

Benefits for you and the wider AWS community

Hardened security for the repository.

Describe alternatives you've considered

N/A

Additional context

Recommendations on hardening security in the official docs of GitHub Actions: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Related issues, RFCs

https://github.com/awslabs/aws-lambda-powertools-python/pull/1301

dreamorosi commented 1 year ago

1324 starts adding some of these hashes

github-actions[bot] commented 1 year ago

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.