Use SHA-1 hashes instead of mutable refs for GH action dependencies

[daniel-beck]

Service(s)

GitHub

Summary

Looking at https://github.com/jenkins-infra/helpdesk/issues/3355 and some of the repos linked there, none of the actions use a SHA-1 reference to tags.

As a security best practice, SHA-1 references instead of tags (or branches) should be used, to prevent upstream from replacing the tag introducing behavior changes, in the worst case malicious behavior. I think it's safe to continue using these tags for action/… actions or our own, but third party actions should be handled more strictly.

See also https://github.com/jenkinsci/jenkins/pull/7113 which brought this problem up in the context of actions used in jenkinsci/jenkins.

Reproduction steps

No response

[dduportal]

Looks like it is supported by dependabot: https://github.com/dependabot/dependabot-core/issues/2835

[lemeurherve]

@dduportal thanks for the link, it's where I found out about https://github.com/sethvargo/ratchet, which in combination with https://github.com/lindell/multi-gitter allowed me to quickly pin all GitHub actions.

@daniel-beck thanks for the suggestion, let me know if you want me to do the same on some @jenkinsci repositories, it shouldn't take me long to do it now that I have a working script 😉

[daniel-beck]

FWIW my preference is to keep jenkins-infra/, github/, and actions/ org stuff as mutable refs given their very low risk (IMO). If you disagree, could you explain why? Thanks.

[lemeurherve]

Yes sorry about that, read too fast your issue first, I reviewed my script and my pull requests to keep actions/* GHA with a version instead of a SHA-1.

We (infra team) agree with you, I'll rework/review the pull requests to also keep the jenkins-infra/* and github/* one.

[lemeurherve]

For the record, there are currently 43 distinct GitHub actions used in @jenkins-infra repositories,

List of unique GHA used:

``` actions-cool/issues-similarity-analysis actions/checkout actions/github-script actions/setup-go actions/setup-java actions/setup-node actions/setup-python actions/upload-artifact andymckay/labeler aws-actions/configure-aws-credentials azure/setup-helm crowdin/github-action docker://jnorwood/helm-docs:latest docker/build-push-action docker/login-action docker/setup-buildx-action docker/setup-qemu-action gaurav-nelson/github-action-markdown-link-check github/codeql-action/analyze github/codeql-action/autobuild github/codeql-action/init github/codeql-action/upload-sarif golangci/golangci-lint-action goreleaser/goreleaser-action helm/chart-releaser-action jenkins-infra/fetch-codeql-action jenkins-infra/interesting-category-action jenkins-infra/jenkins-maven-cd-action jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml jenkins-infra/jenkins-version jenkins-infra/uc jenkins-infra/verify-ci-status-action jenschelkopf/issue-label-notification-action klakegg/actions-hugo maxkomarychev/pr-updater-action mikefarah/yq ossf/scorecard-action peter-evans/create-pull-request release-drafter/release-drafter stefanbuck/github-issue-parser tibdex/github-app-token tspascoal/get-user-teams-membership updatecli/updatecli-action ```

And before these pull requests, 71 actions with different versions,

Actions with all their versions:

``` actions-cool/issues-similarity-analysis@v1 actions-cool/issues-similarity-analysis@v1.0.0 actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 actions/checkout@v2 actions/checkout@v3 actions/checkout@v3.3.0 actions/github-script@v6 actions/setup-go@v2 actions/setup-go@v3 actions/setup-java@v3 actions/setup-node@v2 actions/setup-node@v3 actions/setup-python@v2 actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 actions/upload-artifact@v3 andymckay/labeler@master aws-actions/configure-aws-credentials@v1-node16 azure/setup-helm@v1 azure/setup-helm@v3 crowdin/github-action@1.5.2 docker://jnorwood/helm-docs:latest docker/build-push-action@v2 docker/build-push-action@v4 docker/login-action@v1 docker/login-action@v2 docker/setup-buildx-action@v1 docker/setup-buildx-action@v2 docker/setup-qemu-action@v1 docker/setup-qemu-action@v2 gaurav-nelson/github-action-markdown-link-check@v1 github/codeql-action/analyze@v1 github/codeql-action/analyze@v2 github/codeql-action/autobuild@v1 github/codeql-action/autobuild@v2 github/codeql-action/init@v1 github/codeql-action/init@v2 github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 github/codeql-action/upload-sarif@v2 golangci/golangci-lint-action@v2 golangci/golangci-lint-action@v3 golangci/golangci-lint-action@v3.1.0 goreleaser/goreleaser-action@v2.4.1 goreleaser/goreleaser-action@v2.9.1 goreleaser/goreleaser-action@v4.2.0 helm/chart-releaser-action@v1.2.0 helm/chart-releaser-action@v1.5.0 jenkins-infra/fetch-codeql-action@v1 jenkins-infra/interesting-category-action@v1.2.1 jenkins-infra/jenkins-maven-cd-action@v1.3.3 jenkins-infra/jenkins-security-scan/.github/workflows/jenkins-security-scan.yaml@v2 jenkins-infra/jenkins-version@0.3.1 jenkins-infra/uc@0.1.4 jenkins-infra/verify-ci-status-action@v1.2.2 jenschelkopf/issue-label-notification-action@1.3 klakegg/actions-hugo@1.0.0 maxkomarychev/pr-updater-action@v1.0.0 mikefarah/yq@v4.6.0 ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d peter-evans/create-pull-request@v3 peter-evans/create-pull-request@v4 release-drafter/release-drafter@v5 release-drafter/release-drafter@v5.22.0 stefanbuck/github-issue-parser@v3 tibdex/github-app-token@v1 tibdex/github-app-token@v1.5 tibdex/github-app-token@v1.8 tspascoal/get-user-teams-membership@v2 updatecli/updatecli-action@v1.19.0 updatecli/updatecli-action@v1.32.0 updatecli/updatecli-action@v2 updatecli/updatecli-action@v2.21.0 ```

[lemeurherve]

Almost all pull requests taken in account, closing this issue.

For the record here is the script I've used: https://github.com/jenkins-infra/helpdesk/pull/3408