Closed daniel-beck closed 1 year ago
Looks like it is supported by dependabot: https://github.com/dependabot/dependabot-core/issues/2835
@dduportal thanks for the link, it's where I found out about https://github.com/sethvargo/ratchet, which in combination with https://github.com/lindell/multi-gitter allowed me to quickly pin all GitHub actions.
@daniel-beck thanks for the suggestion, let me know if you want me to do the same on some @jenkinsci repositories, it shouldn't take me long to do it now that I have a working script 😉
FWIW my preference is to keep jenkins-infra/
, github/
, and actions/
org stuff as mutable refs given their very low risk (IMO). If you disagree, could you explain why? Thanks.
Yes sorry about that, read too fast your issue first, I reviewed my script and my pull requests to keep actions/*
GHA with a version instead of a SHA-1.
We (infra team) agree with you, I'll rework/review the pull requests to also keep the jenkins-infra/*
and github/*
one.
For the record, there are currently 43 distinct GitHub actions used in @jenkins-infra repositories,
And before these pull requests, 71 actions with different versions,
Almost all pull requests taken in account, closing this issue.
For the record here is the script I've used: https://github.com/jenkins-infra/helpdesk/pull/3408
Service(s)
GitHub
Summary
Looking at https://github.com/jenkins-infra/helpdesk/issues/3355 and some of the repos linked there, none of the actions use a SHA-1 reference to tags.
As a security best practice, SHA-1 references instead of tags (or branches) should be used, to prevent upstream from replacing the tag introducing behavior changes, in the worst case malicious behavior. I think it's safe to continue using these tags for
action/…
actions or our own, but third party actions should be handled more strictly.See also https://github.com/jenkinsci/jenkins/pull/7113 which brought this problem up in the context of actions used in
jenkinsci/jenkins
.Reproduction steps
No response