Closed dreamorosi closed 1 year ago
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
Problem statement
Workflows can use 3rd party actions. When specifying an action in a workflow you can use a version (i.e.
actions/setup-node@v3
) or specify a full length SHA number (i.e.peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305
).When using the first method two workflow executions could be using versions of a 3rd party action that correspond to different commits. This exposes the repository running the workflow to the risk of a bad actor adding a backdoor to the action's repository.
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate this risk, as they would need to generate a SHA-1 collision for a valid Git object payload.
Summary of the feature
Go through all existing workflows in this repo and pin all 3rd party actions to a specific full length SHA number.
Also, to avoid future oversights, add a workflow (see next section) that runs whenever a change is made under
.github/workflows/*
(the folder that contains the workflows ran by GitHub Actions and also only place where 3rd party actions can be defined/used).As a maintainer, we should see the following error when non-compliant:
Code examples
See workflow used in the Powertools for Python repository here.
Benefits for you and the wider AWS community
Hardened security for the repository.
Describe alternatives you've considered
N/A
Additional context
Recommendations on hardening security in the official docs of GitHub Actions: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Related issues, RFCs
https://github.com/awslabs/aws-lambda-powertools-python/pull/1301