Open
Description
Off the back of https://news.ycombinator.com/item?id=43367987, I think it would be prudent to:
Have
and
GitHub Configuration Best Practices (Continuous Integration / Continuous Deployment)
prominently signpost to the canonical
Security hardening for GitHub Actions (Using third-party actions)
and that a reference implementation of a CI/CD check for/enforce this be included.
For this, Gemini cooked up for me this:
name: Enforce Commit Hash Pinning
on:
pull_request:
branches:
- main # Or your main branch
push:
branches:
- main # Or your main branch
jobs:
check-pinning:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Find actions pinned by tag
id: find-tags
run: |
TAGGED_ACTIONS=$(grep -rE 'uses: [^@]+@[^0-9a-f]{7,40}' .github/workflows/ | awk -F ':' '{print $2}')
if [[ -n "$TAGGED_ACTIONS" ]]; then
echo "::set-output name=tagged_actions::$TAGGED_ACTIONS"
echo "::set-output name=found::true"
else
echo "::set-output name=found::false"
fi
- name: Fail if actions are pinned by tag
if: steps.find-tags.outputs.found == 'true'
run: |
echo "Error: Actions must be pinned to a commit hash, not a tag."
echo "The following actions are pinned by tag:"
echo "${{ steps.find-tags.outputs.tagged_actions }}"
exit 1Metadata
Metadata
Assignees
Labels
No labels