[FR] Harden CI/CD workflows by hash-pinning Actions

[pnacht]

Willingness to contribute

Yes. I can contribute this feature independently.

Proposal Summary

Hi, it's Pedro (see #9629). I'm back with another security suggestion!

I suggest that MLflow hash-pin all GitHub Actions used in workflows. This will ensure the workflows always have precisely the same behavior, protecting them against broken or malicious releases.

These dependencies can be kept up-to-date with dependabot. Dependabot can be set up to send a single monthly PR updating the hashes and version comments of all updated Actions at once (see this PR for example).

I'll send a PR pinning the workflow Actions and configuring renovatebot to keep them up-to-date along with this issue.

Motivation

MLflow currently major-version-pins its Actions (i.e. actions/checkout@v4). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

Details

No response

What component(s) does this bug affect?

• [ ] area/artifacts: Artifact stores and artifact logging
• [X] area/build: Build and test infrastructure for MLflow
• [ ] area/docs: MLflow documentation pages
• [ ] area/examples: Example code
• [ ] area/gateway: AI Gateway service, Gateway client APIs, third-party Gateway integrations
• [ ] area/model-registry: Model Registry service, APIs, and the fluent client calls for Model Registry
• [ ] area/models: MLmodel format, model serialization/deserialization, flavors
• [ ] area/recipes: Recipes, Recipe APIs, Recipe configs, Recipe Templates
• [ ] area/projects: MLproject format, project running backends
• [ ] area/scoring: MLflow Model server, model deployment tools, Spark UDFs
• [ ] area/server-infra: MLflow Tracking server backend
• [ ] area/tracking: Tracking Service, tracking client APIs, autologging

What interface(s) does this bug affect?

• [ ] area/uiux: Front-end, user experience, plotting, JavaScript, JavaScript dev server
• [ ] area/docker: Docker use across MLflow's components, such as MLflow Projects and MLflow Models
• [ ] area/sqlalchemy: Use of SQLAlchemy in the Tracking Service or Model Registry
• [ ] area/windows: Windows support

What language(s) does this bug affect?

• [ ] language/r: R APIs and clients
• [ ] language/java: Java APIs and clients
• [ ] language/new: Proposals for new client languages

What integration(s) does this bug affect?

• [ ] integrations/azure: Azure and Azure ML integrations
• [ ] integrations/sagemaker: SageMaker integrations
• [ ] integrations/databricks: Databricks integrations

[harupy]

@pnacht Any other projects using this approach?

[pnacht]

Hey @harupy, hash-pinning is recommended by GitHub itself.

It is also required for all Apache projects. They let GitHub-owned repos stay version-pinned, but in my experience, if you hash-pin one Action, you might as well hash-pin everything, grouped updates mean the workload is basically identical.

Here's a small sample of some other projects that hash-pin their Actions:

• https://github.com/tensorflow/io
• https://github.com/jquery/jquery
• https://github.com/pyca/cryptography
• https://github.com/libexpat/libexpat
• https://github.com/mozilla/rhino
• https://github.com/google/pprof

[github-actions[bot]]

@mlflow/mlflow-team Please assign a maintainer and start triaging this issue.