ci: pin GitHub Actions to SHAs #87184
Conversation
zephyrbot
added
platform: nRF BSIM
zephyrbot
requested review from
aescolar,
fabiobaltieri,
nashif and
stephanosio
aescolar
left a comment
aescolar
left a comment
There was a problem hiding this comment.
+0
No complaints from me.
I only checked that the shas in the actions used from the bsim workflows seem to point to verified commits in the actions repos themselves and not forks. But not their code content.
pdgendt
left a comment
pdgendt
left a comment
There was a problem hiding this comment.
+1, but we'll probably want to have dependabot working so we don't need to manually keep track of this.
@stephanosio / @nashif can it be verified that dependabot update PRs could be created?
I've submitted an issue dependabot/dependabot-core#11657 but I'm also not entirely sure if there's simply a setting disabled in the repository.
Looking at zephyr-testing, the updates do seem to work: zephyrproject-rtos/zephyr-testing#311
|
You would think we should be trusting actions from gh, i.e. those hosted at |
I checked everything related to that and it seems we have everything in place, not sure what is missing. |
kartben
force-pushed
the
ci_actions_shas
branch
from
9b7557f to
2aef93b
Compare
|
updated to only pins non |
This commit updates all GitHub Actions workflows to use specific SHAs for the actions when they're not GitHub owned (`actions/*`) instead of using tag-based versioning since tags are mutable. Signed-off-by: Benjamin Cabé <[email protected]>
kartben
force-pushed
the
ci_actions_shas
branch
from
2aef93b to
25fa8b5
Compare
FWIW it might still be best practice to pin everything - at least as per scorecard checks (https://scorecard.dev/viewer/?uri=github.com/zephyrproject-rtos/zephyr --- they do give a "not-so bad" score for Github-owned vs non-Github actions, but only way to get a 10/10 is to pin everything) -- I would be happy to revert to the original approach of pinning everything depending on people's feedback/thoughts on this. |
I have no problem with that, I was just wondering.... the scorcard needs lots of work in many areas, right now it is very bad in general (5.3) |
|
Dependabot is able to run: see #87204, so I would be in favor of pinning all action versions. |
Yeah I would agree -- basically we should be fine pinning ourselves to whatever SHA at a given point in time for all actions since we typically don't care about getting latest updates for minor bug fixes except when they're security fixes which Dependabot will let us know about. Waiting a bit more to hear from others and will switch back to original "pin everything" approach if nobody feels strongly against it. |
nashif
added
the
Hotfix
|
Why did this PR become a hotfix? |
Pinning to specific version and hashes helps with preventing supply chain attacks. Do not use custom tokens, rely on GH provided and managed tokens. Update GitHub Actions workflows to follow principle of least privilege Based on zephyr changes: zephyrproject-rtos/zephyr#87184 zephyrproject-rtos/zephyr#87609 zephyrproject-rtos/zephyr#87510 zephyrproject-rtos/zephyr#87254 Signed-off-by: Jakub Ciesla <[email protected]>
6 participants
This commit updates all GitHub Actions workflows to use specific SHAs for the actions instead of using tag-based versioning since tags are mutable.
Alternatively, we could keep
actions/andzephyrproject-rtos/actions unpinned as they are rather unlikely to be compromised.Will probably want to backport, too.