Pin 3rd party actions to a full-length commit SHA.

temporalio / sdk-core

Core Temporal SDK that can be used as a base for language specific Temporal SDKs

MIT License

266 stars 71 forks source link

Pin 3rd party actions to a full-length commit SHA. #583

Closed jackdawm closed 1 year ago

jackdawm commented 1 year ago

What was changed

Used ghat locally to fetch the commit SHA of the latest version of all actions in all workflows.

Why?

Github's security hardening recommendations for actions include pinning actions to a full length commit SHA.

How did you test it?

Looked at the workflow logs on this PR.

Potential risks Two pinned commit SHAs here seem to be version jumps, so these actions might not work as intended.

cretz commented 1 year ago

I fear this may be a little much. We don't always pin third party dependencies to specific commits/SHAs either for our actual code dependencies (unless the package manager supports it, and even then we arbitrarily upgrade). I think we should have a general dependency policy of whether we're ok with only specifying a semver or if semver is not good enough.