Open naveensrinivasan opened 2 years ago
I think we should indeed move to specific pinned versions by specifying the full SHA. And defining permissions sounds good to me too. But for now I think it's better to have the actions vendored as that specific version was reviewed explicitly.
But the downside to this is that it upstream is not monitored for any new zero-days/security issues or new features.
Do you mean automatic monitoring by something like Dependabot?
Do you mean automatic monitoring by something like Dependabot?
Dependabot can monitor only versions that are being used. The vendored packages cannot be tracked.
But for now I think it's better to have the actions vendored as that specific version was reviewed explicitly.
How do you mitigate security issues on the version that is vendored? Turning a blind eye is a higher risk IMO.
The
lnd
uses GitHub Actions that are vendored to avoid Supply Chain Attacks which is great. But the downside to this is that it upstream is not monitored for any new zero-days/security issues or new features https://github.com/lightningnetwork/lnd/blob/cac8da819ff96769326b4d9b7648bf59a1049f74/.github/workflows/release.yaml#L43To avoid these actions hijacking it is required to Pin these actions by SHA instead of Tags. As
tags
can be moved.https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
Possible solution