Confusing alert "Unversioned Immutable Action"

[ericcornelissen]

Not sure if this is the right place to report this but couldn't figure out a better place...

I tested the new support for scanning GitHub Actions Workflows and got a ton of findings for "Unversioned Immutable Action".

The description for the finding is confusing me a bit for various reasons. I included a copy of the report I received at the bottom of this issue. My specific confusion is because of

1. I'm assuming this is referring to Immutable Actions [GA] roadmap#592 which doesn't appear to be launched yet, is that correct?
2. It says "Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable." despite the fact that I'm using commit refs (e.g. actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0). While I might want to switch to immutable actions, I believe the latter half of the sentence is factually incorrect in this case. Also, the use of commit refs is not included in the examples.
3. The first link, https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md, is a 404 for me.
4. The second link does not have a target URL (it's <a href=""></a> in the page source).

---

---

---

Description

Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version
of the action stored in the GitHub package registry. The action code will not change between runs.

Recommendations

When using immutable actions use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs.

Examples

Incorrect Usage

- uses: actions/checkout@some-tag
- uses: actions/checkout@2.x.x

Correct Usage

- uses: actions/checkout@4.0.0

References

• Consuming immutable actions

[adityasharad]

Thank you for trying out this new feature and for your rapid and thorough feedback - much appreciated. You're right. We'll work on improving the documentation for these alerts. We also appear to be enforcing usage patterns that are only applicable for now to GitHub-internal use (where we use this for our own security), so we'll adjust the alerts accordingly.

[leemeador]

I'm getting the same "error" with a sha as the version. A sha is not mutable and, while it is not a semantic version with 3 digits, it is fixed. Actually, its fixed better than a 3 digit semver since a release or tag on an action can be deleted and recreated with malicious content if the attacker has the correct credentials.

[aeisenberg]

@leemeador, thanks for the feedback. I can understand how this is confusing. Immutable Actions is an unreleased feature, where an action release is published in the GitHub Package Registry, and is guaranteed that once published, a new package with the same version cannot be published on top of it. In addition to better clarity in documentation, this feature brings better security guarantees.

This feature is not publicly available yet, and this query is only meant to apply to internal GitHub repositories. You can ignore it for now.

[adityasharad]

github/codeql#18356 will remove this query from the public query suites, and the confusing alerts will automatically close when your analysis receives the updated query pack after that change. We'll comment here when that happens too. Thanks for your patience.

[ericcornelissen]

I'm not running into this anymore at least as of https://github.com/github/codeql-action/releases/tag/v3.28.1