Skip to content

OIDC examples don't pin external actions (& don't declare them) #34316

Open
@janbrasna

Description

Code of Conduct

  • I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

  1. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform#requesting-the-access-token
  2. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
  3. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure#requesting-the-access-token
  4. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#requesting-the-access-token
  5. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow

What part(s) of the article would you like to see updated?

    steps:
    - id: 'auth'
      name: 'Authenticate to GCP'
      uses: 'google-github-actions/auth@v0.3.1'
      with:

should pin a hash instead, also the reusable disclaiming 3rdparty usage should be added.

Additional information

This is analogous for all the pages mentioned, for both # Requesting and # Revoking examples.

Activity

added
contentThis issue or pull request belongs to the Docs Content team
on Aug 15, 2024
added
triageDo not begin working on this issue until triaged by the team
on Aug 15, 2024
janbrasna

janbrasna commented on Aug 15, 2024

@janbrasna
ContributorAuthor

Or do I remember it wrong and it's mandatory only in starter-workflows …?

added
actionsThis issue or pull request should be reviewed by the docs actions team
waiting for reviewIssue/PR is waiting for a writer's review
and removed
triageDo not begin working on this issue until triaged by the team
on Aug 15, 2024
nguyenalex836

nguyenalex836 commented on Aug 15, 2024

@nguyenalex836
Contributor

@janbrasna Thanks so much for opening an issue!

Or do I remember it wrong and it's mandatory only in starter-workflows …?

We'll get to the bottom of this during review! ✨

added
needs SMEThis proposal needs review from a subject matter expert
on Aug 15, 2024
github-actions

github-actions commented on Aug 15, 2024

@github-actions
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

janbrasna

janbrasna commented on Aug 15, 2024

@janbrasna
ContributorAuthor

it's definitely here:

  • {% data reusables.actions.actions-not-certified-by-github %}
  • {% data reusables.actions.actions-use-sha-pinning %}

and definitely being used e.g. in docker examples… but now i can't seem to be able to locate any guidelines for that in the style guide or writing examples.

nguyenalex836

nguyenalex836 commented on Aug 22, 2024

@nguyenalex836
Contributor

@janbrasna Thank you for your patience while our engineering team reviewed this issue! They responded with the following -

... touching on a general concern where a maintainer of an action can change what the v2 branch or v2.1.5 tag points to. By pointing to a specific commit SHA, you can be confident exactly what you're getting regardless of what ever else the maintainers do. This comes at the cost of needing to keep these versions updated as the maintainers create new releases.

... there are trade offs in both approaches, more security or ease of managing upgrades. Users who want can try to get a balance of both by using SHAs and turning on Dependabot to open PRs when never versions are available.

Still, I don’t know if we want to align all of GitHub docs purely on SHA pinning or not. Directing users to the links above about considerations is my preference.

Let us know if you have any thoughts regarding the above! For now, I'll add the help wanted label to this issue so that you, or anyone else, can make these updates 💛

added
SME reviewedAn SME has reviewed this issue/PR
help wantedAnyone is welcome to open a pull request to fix this issue
and removed
waiting for reviewIssue/PR is waiting for a writer's review
needs SMEThis proposal needs review from a subject matter expert
on Aug 22, 2024

1 remaining item

removed
staleThere is no recent activity on this issue or pull request
on Oct 29, 2024
added
triageDo not begin working on this issue until triaged by the team
on Oct 29, 2024
removed
triageDo not begin working on this issue until triaged by the team
on Oct 29, 2024
added
staleThere is no recent activity on this issue or pull request
on Dec 30, 2024
janbrasna

janbrasna commented on Jan 6, 2025

@janbrasna
ContributorAuthor

Still, I don’t know if we want to align all of GitHub docs purely on SHA pinning or not.

That.

Seems like a random mix of pins somewhere, and not declaring 3rdparty elsewhere. (Don't have a solution/opinion myself.)

janbrasna

janbrasna commented on Jan 6, 2025

@janbrasna
ContributorAuthor

FYI I was not concerned about tips for writing own workflows or hardening thereof per se — but a consistency in example code shown for various topics that use 3rdparty actions, as the reusables already in place would signal to be the preference… just not applied site-wide and not expressed as a rule/guideline anywhere.

Where it is explicitly stated is e.g. here:
https://github.com/actions/starter-workflows/blob/f81606ba01cd6142d264a19ddf8cc2a485a86576/.github/pull_request_template.md?plain=1#L50-L58

  • This workflow must only use actions that are produced by GitHub, in the actions organization, or
  • This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be published to the GitHub Marketplace. We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: […]
removed
staleThere is no recent activity on this issue or pull request
on Jan 6, 2025
added
triageDo not begin working on this issue until triaged by the team
on Jan 6, 2025
nguyenalex836

nguyenalex836 commented on Jan 6, 2025

@nguyenalex836
Contributor

@janbrasna Apologies on behalf of our bot! Opening this help wanted issue back up now 💛

removed
triageDo not begin working on this issue until triaged by the team
on Jan 6, 2025
janbrasna

janbrasna commented on Jan 18, 2025

@janbrasna
ContributorAuthor

I'm not sure it's really actionable in any way, when even SME feedback is "don't know" — basically matching my sentiments.

I see some examples using it, consistently or not, as:

So these are just some of the examples using it, and question is what's the rule then? Only include it for complete workflow examples and avoid it in single jobs or just steps demonstrated…? Or is it enough to include that once on such page? What if the only occurrence is a short snippet, should it go there then, too?

TL'DR — I was mostly surprised this is being included in things like ruby setup (where, honestly, you really wanna follow the stable releases as your workflow may break over time with runner changes et al.) but not in OIDC setups where it feels more important — so this issue got raised merely for asking to define what should be the consistent way, a rule of thumb, or a guideline generally, to follow here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    SME reviewedAn SME has reviewed this issue/PRactionsThis issue or pull request should be reviewed by the docs actions teamcontentThis issue or pull request belongs to the Docs Content teamhelp wantedAnyone is welcome to open a pull request to fix this issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

      Participants

      @janbrasna@nguyenalex836

      Issue actions

        OIDC examples don't pin external actions (& don't declare them) · Issue #34316 · github/docs