Hi, I'm Diogo and I'm back (see #257 and #259). At the issue #257 I suggested you to set minimal permissions to your workflows. Now I'm coming back to suggest a modification that would provide extra safety for the workflows that yet require dangerous permissions (e.g., contents: write).
Problem
Your workflow release-drafter.yml is using dangerous permissions while running external dependencies pinned only by tag. That patterns could be dangerous because if any of those actions get hijacked (and at the end they're all repositories and are susceptible to attacks like any other), an attacker could change the code that your tags point to, gaining access to your secrets and/or write permissions to your repository.
Proposed Solution
A simple solution for this problem would be to hash-pin those sensitive actions, pointing the actions to the very specific commit of that release. It follows an example of the change:
- uses: r-lib/actions/pr-fetch@v1
would become
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v1.3.1
And this would enforce that your action is always running at the expected code.
The only downsize of this solution is that it gets trickier to manually update the version of the actions as they get out-of-date, but that can be solved by using a Dependency-Update-Tool (like dependabot or renovatebot). As you already use Dependabot, so that shouldn't change anything in practice -- dependabot PRs would even keep a comment with the human-readable version used =).
Conclusion
I'll take the liberty of raising a PR implementing my suggestion, so that it becomes easier for you to evaluate. Let me know if you have any questions or concerns.
slachiewicz
commented
9 months ago
Hi, I'm Diogo and I'm back (see #257 and #259). At the issue #257 I suggested you to set minimal permissions to your workflows. Now I'm coming back to suggest a modification that would provide extra safety for the workflows that yet require dangerous permissions (e.g., contents: write).
Problem
Your workflow release-drafter.yml is using dangerous permissions while running external dependencies pinned only by tag. That patterns could be dangerous because if any of those actions get hijacked (and at the end they're all repositories and are susceptible to attacks like any other), an attacker could change the code that your tags point to, gaining access to your secrets and/or write permissions to your repository.
Proposed Solution
A simple solution for this problem would be to hash-pin those sensitive actions, pointing the actions to the very specific commit of that release. It follows an example of the change:
And this would enforce that your action is always running at the expected code.
The only downsize of this solution is that it gets trickier to manually update the version of the actions as they get out-of-date, but that can be solved by using a Dependency-Update-Tool (like dependabot or renovatebot). As you already use Dependabot, so that shouldn't change anything in practice -- dependabot PRs would even keep a comment with the human-readable version used =).
Conclusion
I'll take the liberty of raising a PR implementing my suggestion, so that it becomes easier for you to evaluate. Let me know if you have any questions or concerns.
Thanks!