allow excluding orgs/actions from pinning

[raboof]

In some contexts, all versions of the actions from certain orgs (such as https://github.com/actions/ or the projects' own org) are trusted. In such a scenario, the value of pinning is less obvious compared to 3rd-party repo's (and should be weighed against the additional dependabot churn). It might be helpful to be able to exclude such orgs from pinning.

[netomi]

I could imagine that we support a config file, e.g. in yaml format that specifies with wildcard what actions to ignore.

[netomi]

Maybe we should honor the configuration as present in the dependabot.yaml of the repo:

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated

There is support for ignoring dependencies.

[raboof]

Maybe we should honor the configuration as present in the dependabot.yaml of the repo:

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated

There is support for ignoring dependencies.

I like the idea, but for example for the SLSA case you mentioned you might still want dependabot to upgrade the tags even if you don't want octopin to convert it to a hash, right? You might have similar situations here?

[netomi]

hmm indeed, the ignore should only be taken into account for the pinning, updates shall work normally.

So we need to come up with our own format ...

[netomi]

so I just checked the latest version of zizmor and it also has support for fixing unpinned actions and supports exclusions via a configuration file.

Actually I integrated it now into octopin itself, see https://github.com/eclipse-csi/octopin/blob/main/.github/zizmor.yml

It might be the better alternative compared to octopin.

The documentation of zizmor also lists alternative tools for this remediation: https://docs.zizmor.sh/audits/#remediation_27

Looking for example at pinact, it might really be superior to what octopin can offer. 2 years ago there was not really something available so we started with this tool, but it appears to be mostly obsolete now imho.

[mbarbero]

Agreed, I've been looking at pinact recently, and it feels like a superior alternative to octopin. I suggest we review the handbook and change references from octopin to pinact, and then archive this repo.

Any objection, @eclipse-csi/technology-csi-committers?

[netomi]

I would be +1 to archive the repo

[mbarbero]

Cowardly assigning to @kairoaraujo :) Thanks!

[kairoaraujo]

I would be +1 to archive the repo

+1