OIDC examples don't pin external actions (& don't declare them)

[janbrasna]

Code of Conduct

• [X] I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

1. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform#requesting-the-access-token
2. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
3. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure#requesting-the-access-token
4. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#requesting-the-access-token
5. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow

What part(s) of the article would you like to see updated?

    steps:
    - id: 'auth'
      name: 'Authenticate to GCP'
      uses: 'google-github-actions/auth@v0.3.1'
      with:

should pin a hash instead, also the reusable disclaiming 3rdparty usage should be added.

Additional information

This is analogous for all the pages mentioned, for both # Requesting and # Revoking examples.

[janbrasna]

Or do I remember it wrong and it's mandatory only in starter-workflows …?

[nguyenalex836]

@janbrasna Thanks so much for opening an issue!

Or do I remember it wrong and it's mandatory only in starter-workflows …?

We'll get to the bottom of this during review! ✨

[github-actions[bot]]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

[janbrasna]

it's definitely here:

• {% data reusables.actions.actions-not-certified-by-github %}
• {% data reusables.actions.actions-use-sha-pinning %}

and definitely being used e.g. in docker examples… but now i can't seem to be able to locate any guidelines for that in the style guide or writing examples.

[nguyenalex836]

@janbrasna Thank you for your patience while our engineering team reviewed this issue! They responded with the following -

... touching on a general concern where a maintainer of an action can change what the v2 branch or v2.1.5 tag points to. By pointing to a specific commit SHA, you can be confident exactly what you're getting regardless of what ever else the maintainers do. This comes at the cost of needing to keep these versions updated as the maintainers create new releases.

... there are trade offs in both approaches, more security or ease of managing upgrades. Users who want can try to get a balance of both by using SHAs and turning on Dependabot to open PRs when never versions are available.

Still, I don’t know if we want to align all of GitHub docs purely on SHA pinning or not. Directing users to the links above about considerations is my preference.

• https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
• https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
• https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Let us know if you have any thoughts regarding the above! For now, I'll add the help wanted label to this issue so that you, or anyone else, can make these updates 💛