Closed jhutchings1 closed 1 year ago
To be clear, I think updating it to use a tag is the correct approach - the flaw is that the OpenSSF scorecard is requiring one to pin an action to a SHA.
Looks like this is a dupe of #5556? Also seems like @deivid-rodriguez has already started a fix for that so we're safe to close this one.
@ljharb related to the OpenSSF scorecard, I agree that scorecard should be ok with folks pinning actions to a semver tag. We've recently shipped support for GitHub Actions advisories that only support semver versioning, so folks that SHA pin won't get Dependabot alerts.
Hi @jhutchings1 and @ljharb! Yes, I was just replying :)
I had initially thought that this bug had actually been always there, but two reports so close in time make me suspect that it might be a regression. Or maybe it's just the attention that OpenSSF scoreboard has got recently? Not sure.
Anyways, we will fix this!
To be clear, I think updating it to use a tag is the correct approach
So your expectation would be that if there's an available tag newer than the pinned sha1, we update the workflow to use a tag? Actually we were doing that before, but decided to change it recently to keep the same "style" already present in the workflow file.
Actually we were doing that before, but decided to change it recently to keep the same "style" already present in the workflow file.
I agree that we shouldn't go back and forth between SHAs and tags. Whatever the developer first specified is the kind of format we should stick with.
Agreed. The current security recommendations for Actions, at this time, recommended Actions are pinned to a full length SHA unless you trust the creator: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
where would be the best place to get the OpenSSF Scorecard changed so that it doesn't penalize pinning an action to a tag?
I think you can leave your feedback at https://github.com/ossf/scorecard.
Package ecosystem
GitHub Actions
Manifest location and content before the Dependabot update
https://github.com/juliangruber/isarray/pull/44/files
What you expected to see, versus what you actually saw
This one was relayed to me by @ljharb, but he observed that Dependabot was actually updating repositories from the pinned SHA of the head commit back to the pinned SHA of the most recent release.
@andymckay @jeffwidman Can you all have a look at this one?