Hash Pin Workflow Dependencies

[joycebrum]

Description

I would like to also suggest a security practice recommended by the [OpenSSF Scorecard][scorecard-repo] which is to hash pin dependencies to prevent dependency-confusion, typosquatting and tag renaming attacks.

The change would only be applied to GitHub workflows, dockerfiles and shell scripts dependencies.

This means:

• Hash pinning GitHub Workflow actions.

  actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b # v4.6.0

• Using --require-hashes on pip installs.

  
  python -m pip install -r requirements.txt --require-hashes

Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update  hashes and associated semantic version comments.

Let me know if you are open to evaluate those changes and I'll submit the PR ASAP. 

Any questions or concerns just let me know.
Thanks!

## Additional Context

<!--workflows -->
A tag renaming attack is a type of attack whereby an attacker:
- Hijack an action.
- Upload a malicious version.
- Replace existing tags with malicious versions.

<!--package managers-->
A [dependency-confusion][deps-confusion] attack occurs when an attacker:
- Find the name of a package that the victims wants to install
- Create an identically named package and publish it under the public or default registry.
- Assign the package with a higher version number to trick the package manager tool to download it from the public repo.

<!--both--> 
A [typosquatting attack][typosquatting] is a type of attack whereby an attacker:
- Create a malicious package
- Publish it with a similar name of a known package (example: numpi instead of numpy)

For more informations about the dependency-update tools:
- [Dependabot][dependabot]
- [Renovatebot][renovatebot]

<!-- useful links -->
[scorecard-repo]: https://github.com/ossf/scorecard
[deps-confusion]: https://www.websecuritylens.org/how-dependency-confusion-attack-works-and-how-to-prevent-it/ 
[typosquatting]: https://snyk.io/blog/typosquatting-attacks/ 
[dependabot]: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
[renovatebot]:https://www.mend.io/renovate/

[alex]

My general practice on other repos has been:

• pin to a precise tag for official actions (those under the actions org)
• pin to a hash for 3p dependencies
• setting up dependabot to bump them automatically

I don't believe it's appropriate for us to pin our python deps (pytest), because python lacks tooling for doing this effectively.

I'd be happy to take a PR on the actions side for this.

[joycebrum]

because python lacks tooling for doing this effectively

Thats actually true unfortunately. The only way I know of doing it would be using pip-compile to regenerate the hashes to update them, but that's an extra work to keep it up to date :/

My general practice on other repos has been:

• pin to a precise tag for official actions (those under the actions org)

It would be slightly better to hash pin also the official ones too, since they are open source and are exposed to supply chain attacks as any other open source. But it is definitely good to at least minor version pin them. Thanks for that.

[alex]

FWIW since I left that comment, one of your colleagues sent a PR to another repo of mine migrating it to pinning the actions repos by hash, so now I do the same everywhere.