github / github-ospo

Helping open source program offices get started
https://github.blog/2023-03-13-an-open-source-project-to-empower-ospos-everywhere/
MIT License
659 stars 59 forks source link

Actions should be pinnable #95

Closed zkoppert closed 6 months ago

zkoppert commented 6 months ago

Is your feature request related to a problem?

Pinning using a cryptographic hash or signature is considered a Best Practice to ensure that a specific version of a component is used, which can help in making builds more reproducible and trustworthy. All of our GitHub OSPO Actions do not follow the best practices in terms of being immutable ("pinnable").

Related OSPO Tool

stale-repos GitHub Action, issues-metrics GitHub Action, automatic-contrib-prs GitHub Action, evergreen GitHub Action, cleanowners GitHub Action, contributors GitHub Action

Describe the solution you'd like

See remediation paths at https://github.com/boostsecurityio/poutine/blob/main/docs/content/en/rules/unpinnable_action.md#remediation

Ideally we would make our actions pinnable, update our docs to encourage that practice, and ensure our CI components are all pinned.

Describe alternatives you've considered

none

Additional context

Found based on running the poutine tool

jmeridth commented 6 months ago

Turned on OSSF Scorecard on stale-repos and the results agree with this issue. 😄 Will work through them all in a PR per repo.

jmeridth commented 6 months ago

This is complete