ci: harden GitHub Actions (SHA-pin + Dependabot)#99
Open
fredespi wants to merge 2 commits into
Open
Conversation
Pin the remaining tag-referenced actions (checkout, cache, setup-rust-toolchain, dtolnay/rust-toolchain) to full commit SHAs with a trailing version comment. Tags are mutable, so a hijacked tag would run attacker code on the runners — including the self-hosted GPU boxes. SHAs are immutable and close that supply-chain vector. Signed-off-by: fredespi <fredrik.espinoza@gmail.com>
Keep the newly SHA-pinned actions current: Dependabot reads the version from each `uses:` trailing comment and opens weekly PRs bumping the SHA when a new release lands, so pinning for supply-chain safety does not mean going stale. Signed-off-by: fredespi <fredrik.espinoza@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci.yml,nightly.yml,release.yml(each with a# vX.Y.Zcomment)..github/dependabot.yml(github-actions, weekly) so the pins stay current.Why
Mutable action tags (
@v6,@v1) can be hijacked — a force-moved tag would run attacker code on our runners, including the self-hosted GPU boxes. Immutable commit SHAs close that supply-chain vector; Dependabot keeps them from going stale.Actions pinned
(
dorny/paths-filter,taiki-e/install-action,j178/prek-actionwere already SHA-pinned.)Related hardening already applied to repo settings (not in this diff)
GITHUB_TOKENpermissions: write → readFollow-up (deliberately NOT in this PR)
sha_pinning_requiredonly after this merges and other open branches are rebased onto the pinnedmain— otherwise GitHub rejects runs on any ref whose workflows still reference tags.allowed_actionsfromalltoselected.Test plan
actionlintclean (aside from pre-existing self-hosted runner labels + one pre-existing shellcheck style nit)uses:refs in any workflow or composite action