Vendored actions are getting updated.

[naveensrinivasan]

The lnd uses GitHub Actions that are vendored to avoid Supply Chain Attacks which is great. But the downside to this is that it upstream is not monitored for any new zero-days/security issues or new features https://github.com/lightningnetwork/lnd/blob/cac8da819ff96769326b4d9b7648bf59a1049f74/.github/workflows/release.yaml#L43

To avoid these actions hijacking it is required to Pin these actions by SHA instead of Tags. As tags can be moved.

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

Possible solution

• Move away from vendored actions
• Pin actions by specific SHA
• Define permissions to actions to reduce the attack vector further.

[guggero]

I think we should indeed move to specific pinned versions by specifying the full SHA. And defining permissions sounds good to me too. But for now I think it's better to have the actions vendored as that specific version was reviewed explicitly.

But the downside to this is that it upstream is not monitored for any new zero-days/security issues or new features.

Do you mean automatic monitoring by something like Dependabot?

[naveensrinivasan]

Do you mean automatic monitoring by something like Dependabot?

Dependabot can monitor only versions that are being used. The vendored packages cannot be tracked.

But for now I think it's better to have the actions vendored as that specific version was reviewed explicitly.

How do you mitigate security issues on the version that is vendored? Turning a blind eye is a higher risk IMO.