Skip to content

Maintenance: harden workflows by pinning 3rd party actions to full length SHA number #1025

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dreamorosi opened this issue Jul 23, 2022 · 2 comments · Fixed by #1335
Closed

Maintenance: harden workflows by pinning 3rd party actions to full length SHA number #1025

dreamorosi opened this issue Jul 23, 2022 · 2 comments · Fixed by #1335
Assignees
@am29d
Labels
automation This item relates to automation completed This item is complete and has been merged/shipped good-first-issue Something that is suitable for those who want to start contributing internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Comments

@dreamorosi
Copy link
Contributor

Problem statement

Workflows can use 3rd party actions. When specifying an action in a workflow you can use a version (i.e. actions/setup-node@v3) or specify a full length SHA number (i.e. peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305).

When using the first method two workflow executions could be using versions of a 3rd party action that correspond to different commits. This exposes the repository running the workflow to the risk of a bad actor adding a backdoor to the action's repository.

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate this risk, as they would need to generate a SHA-1 collision for a valid Git object payload.

Summary of the feature

Go through all existing workflows in this repo and pin all 3rd party actions to a specific full length SHA number.

Also, to avoid future oversights, add a workflow (see next section) that runs whenever a change is made under .github/workflows/* (the folder that contains the workflows ran by GitHub Actions and also only place where 3rd party actions can be defined/used).

As a maintainer, we should see the following error when non-compliant:
179009607-6cc0babb-5755-431c-9811-83635485d1a8

Code examples

See workflow used in the Powertools for Python repository here.

Benefits for you and the wider AWS community

Hardened security for the repository.

Describe alternatives you've considered

N/A

Additional context

Recommendations on hardening security in the official docs of GitHub Actions: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Related issues, RFCs

aws-powertools/powertools-lambda-python#1301
@dreamorosi dreamorosi added good-first-issue Something that is suitable for those who want to start contributing github_actions labels Jul 23, 2022
@dreamorosi dreamorosi added automation This item relates to automation confirmed The scope is clear, ready for implementation internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.) and removed github_actions labels Nov 13, 2022
@dreamorosi dreamorosi changed the title Feature (build): harden workflows by pinning 3rd party actions to full length SHA number Maintenance: harden workflows by pinning 3rd party actions to full length SHA number Nov 14, 2022
@dreamorosi
Copy link
Contributor Author

#1324 starts adding some of these hashes

@am29d am29d self-assigned this Feb 26, 2023
@am29d am29d mentioned this issue Feb 26, 2023
Merged
13 tasks
@dreamorosi dreamorosi moved this from Backlog to Working on it in AWS Lambda Powertools for TypeScript Feb 26, 2023
@github-project-automation github-project-automation bot moved this from Working on it to Coming soon in AWS Lambda Powertools for TypeScript Feb 27, 2023
@github-actions
Copy link
Contributor

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot added the pending-release This item has been merged and will be released soon label Feb 27, 2023
@dreamorosi dreamorosi added completed This item is complete and has been merged/shipped and removed pending-release This item has been merged and will be released soon confirmed The scope is clear, ready for implementation labels Feb 27, 2023
@dreamorosi dreamorosi moved this from Coming soon to Shipped in AWS Lambda Powertools for TypeScript Feb 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@am29d am29d

Labels
automation This item relates to automation completed This item is complete and has been merged/shipped good-first-issue Something that is suitable for those who want to start contributing internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(ci): pin 3rd party actions to sha commit
2 participants
@am29d @dreamorosi