Open
Description
Code of Conduct
- I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
- https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform#requesting-the-access-token
- https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
- https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure#requesting-the-access-token
- https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#requesting-the-access-token
- https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow
What part(s) of the article would you like to see updated?
steps:
- id: 'auth'
name: 'Authenticate to GCP'
uses: 'google-github-actions/auth@v0.3.1'
with:
should pin a hash instead, also the reusable disclaiming 3rdparty usage should be added.
Additional information
This is analogous for all the pages mentioned, for both # Requesting and # Revoking examples.
Metadata
Assignees
Labels
Type
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
janbrasna commentedon Aug 15, 2024
Or do I remember it wrong and it's mandatory only in starter-workflows …?
nguyenalex836 commentedon Aug 15, 2024
@janbrasna Thanks so much for opening an issue!
We'll get to the bottom of this during review! ✨
github-actions commentedon Aug 15, 2024
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀
janbrasna commentedon Aug 15, 2024
it's definitely here:
{% data reusables.actions.actions-not-certified-by-github %}
{% data reusables.actions.actions-use-sha-pinning %}
and definitely being used e.g. in docker examples… but now i can't seem to be able to locate any guidelines for that in the style guide or writing examples.
nguyenalex836 commentedon Aug 22, 2024
@janbrasna Thank you for your patience while our engineering team reviewed this issue! They responded with the following -
Let us know if you have any thoughts regarding the above! For now, I'll add the
help wanted
label to this issue so that you, or anyone else, can make these updates 💛1 remaining item
janbrasna commentedon Jan 6, 2025
That.
Seems like a random mix of pins somewhere, and not declaring 3rdparty elsewhere. (Don't have a solution/opinion myself.)
janbrasna commentedon Jan 6, 2025
FYI I was not concerned about tips for writing own workflows or hardening thereof per se — but a consistency in example code shown for various topics that use 3rdparty actions, as the reusables already in place would signal to be the preference… just not applied site-wide and not expressed as a rule/guideline anywhere.
Where it is explicitly stated is e.g. here:
https://github.com/actions/starter-workflows/blob/f81606ba01cd6142d264a19ddf8cc2a485a86576/.github/pull_request_template.md?plain=1#L50-L58
nguyenalex836 commentedon Jan 6, 2025
@janbrasna Apologies on behalf of our bot! Opening this
help wanted
issue back up now 💛janbrasna commentedon Jan 18, 2025
I'm not sure it's really actionable in any way, when even SME feedback is "don't know" — basically matching my sentiments.
I see some examples using it, consistently or not, as:
pypa/*
https://github.com/github/docs/blob/main/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-python.md#publishing-to-pypiswift-actions/*
https://github.com/github/docs/blob/main/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-swift.md#using-multiple-swift-versions (only in the first example, then omitted later in the snippets)ruby/*
https://github.com/github/docs/blob/main/content/actions/use-cases-and-examples/building-and-testing/building-and-testing-ruby.md#using-a-ruby-workflow-template that doesn't have it in the snippets it starts with, but the full workflow then has both the 3rdparty reusables included.So these are just some of the examples using it, and question is what's the rule then? Only include it for complete workflow examples and avoid it in single jobs or just steps demonstrated…? Or is it enough to include that once on such page? What if the only occurrence is a short snippet, should it go there then, too?
TL'DR — I was mostly surprised this is being included in things like ruby setup (where, honestly, you really wanna follow the stable releases as your workflow may break over time with runner changes et al.) but not in OIDC setups where it feels more important — so this issue got raised merely for asking to define what should be the consistent way, a rule of thumb, or a guideline generally, to follow here.