search

tukaani-project / xz

XZ Utils
https://tukaani.org/xz/
Other
532 stars 95 forks source link

[Feature Request]: Reference actions by commit SHA #65

Closed gabibguti closed 10 months ago

gabibguti commented 11 months ago

Describe the Feature

Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch.

Although there are pros and cons for each reference, GitHub understands using commit SHAs is more reliable, as does Scorecard security tool.

If you agree, this would change, for example, actions/checkout@v3 to actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 followed by a comment # v3.6.0 to keep the version readable. Additionally, we can take this moment to bump actions/checkout to v4 and other actions.

Expected Complications

None.

Will I try to implement this new feature?

Yes

Additional Context

Hi! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

JiaT75 commented 11 months ago

Hello!

Thanks again for the security advice. I suppose the only downside for this is not receiving potential bugfixes for the version we reference for the action. This can be mitigated by me not being lazy and subscribing to receive notifications when these repositories publish a release, so I have done that :)

Feel free to provide a PR for this. I believe all that needs changing is:

ci.yml

windows-ci.yml

gabibguti commented 11 months ago

Hi Jia! Ok, nice, I'll open a PR! And yes, there's this downside of having to keep an eye to update the actions. You can update it manually or there's also the option to use dependabot or renovatebot.

JiaT75 commented 11 months ago

The issues preventing Windows-CI from passing have been fixed on master. There were actually two problems, both related to Clang 17.0.1 release. If you are curious, this and this are the commits. The related bugs for Clang are in the commit messages :)

So feel free to continue your work on a PR now that the issues are resolved. Thanks for bringing this to our attention!

gabibguti commented 10 months ago

Very interesting problem the Clang release one. I took a look at the commits and discussions, thanks for sharing! It seems like they are resolving the problems in the new patch and thanks for looking into this Jia! I'll retry the PR.