ljharb
commented
1 year ago To be clear, I think updating it to use a tag is the correct approach - the flaw is that the OpenSSF scorecard is requiring one to pin an action to a SHA.
Closed jhutchings1 closed 1 year ago
ljharb
commented
1 year ago To be clear, I think updating it to use a tag is the correct approach - the flaw is that the OpenSSF scorecard is requiring one to pin an action to a SHA.
jhutchings1
commented
1 year ago Looks like this is a dupe of #5556? Also seems like @deivid-rodriguez has already started a fix for that so we're safe to close this one.
@ljharb related to the OpenSSF scorecard, I agree that scorecard should be ok with folks pinning actions to a semver tag. We've recently shipped support for GitHub Actions advisories that only support semver versioning, so folks that SHA pin won't get Dependabot alerts.
deivid-rodriguez
commented
1 year ago Hi @jhutchings1 and @ljharb! Yes, I was just replying :)
I had initially thought that this bug had actually been always there, but two reports so close in time make me suspect that it might be a regression. Or maybe it's just the attention that OpenSSF scoreboard has got recently? Not sure.
Anyways, we will fix this!
To be clear, I think updating it to use a tag is the correct approach
So your expectation would be that if there's an available tag newer than the pinned sha1, we update the workflow to use a tag? Actually we were doing that before, but decided to change it recently to keep the same "style" already present in the workflow file.
jhutchings1
commented
1 year ago Actually we were doing that before, but decided to change it recently to keep the same "style" already present in the workflow file.
I agree that we shouldn't go back and forth between SHAs and tags. Whatever the developer first specified is the kind of format we should stick with.
andymckay
commented
1 year ago Agreed. The current security recommendations for Actions, at this time, recommended Actions are pinned to a full length SHA unless you trust the creator: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
ljharb
commented
1 year ago where would be the best place to get the OpenSSF Scorecard changed so that it doesn't penalize pinning an action to a tag?
deivid-rodriguez
commented
1 year ago I think you can leave your feedback at https://github.com/ossf/scorecard.
Package ecosystem
GitHub Actions
Manifest location and content before the Dependabot update
https://github.com/juliangruber/isarray/pull/44/files
What you expected to see, versus what you actually saw
This one was relayed to me by @ljharb, but he observed that Dependabot was actually updating repositories from the pinned SHA of the head commit back to the pinned SHA of the most recent release.
@andymckay @jeffwidman Can you all have a look at this one?