Skip to content

github-actions: pin third-party actions #17420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

github-actions: pin third-party actions #17420

wants to merge 1 commit into from

Conversation

v1v
Copy link
Member

@v1v v1v commented Mar 26, 2025

Release notes

[rn:skip]

What does this PR do?

Pin third-party actions as noted at https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Bump version for checkout and github-scrtipts

Why is it important/What is the impact to the user?

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files (and/or docker env variables)
  • I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@v1v v1v added backport-9.0 Automated backport to the 9.0 branch with mergify backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport with mergify labels Mar 26, 2025
@v1v v1v self-assigned this Mar 26, 2025
@v1v v1v requested review from pazone and mashhurs March 28, 2025 07:29
mashhurs
mashhurs reviewed Mar 28, 2025
View reviewed changes
.github/workflows/pr_backporter.yml
@@ -13,15 +13,15 @@ jobs:
if: github.event.issue.pull_request
runs-on: ubuntu-latest
steps:
- uses: actions-ecosystem/action-regex-match@v2
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no longer need if you land #17347

.github/workflows/lint_docs.yml
@@ -12,10 +12,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to confirm from docs-team if this will break anything.
@karenzone can you please help us here. I am even not sure if we are using this after docs migration.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

checkout@v3 vs checkout@v4 should work, see https://github.com/actions/checkout/blob/main/CHANGELOG.md#v400

As far as i see it was a major change as they moved to node:20

.github/workflows/gen_release_notes.yml
with:
fetch-depth: 0
- name: Set up Ruby
uses: ruby/setup-ruby@v1
uses: ruby/setup-ruby@7886c6653556e1164c58a7603d88286b5f708293 # v1.228.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any reason to ping specific minor version?
setup-ruby recommends using version and not to pin specific commit/release-version.
Can you double check if this really we need?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For third-party GH actions we need to follow the hardening:

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

⏫ , that's what InfoSec asked us to do.

So I took the latest v1 version at that time.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dependabot will be the one actually bumping the version, see #17421

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mashhurs mashhurs mashhurs left review comments

@pazone pazone Awaiting requested review from pazone

At least 1 approving review is required to merge this pull request.

Assignees

@v1v v1v

Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.18 Automated backport with mergify backport-9.0 Automated backport to the 9.0 branch with mergify
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@v1v @mashhurs