Skip to content

Proposal: replace version based actions tags with commit SHAs instead #15947

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kbdharun opened this issue Mar 15, 2025 · 1 comment · Fixed by #16026
Closed

Proposal: replace version based actions tags with commit SHAs instead #15947

kbdharun opened this issue Mar 15, 2025 · 1 comment · Fixed by #16026
Labels
archive Archive of changes made in tldr-pages, etc. security Issues/PRs related to security.

Comments

@kbdharun
Copy link
Member

Currently, across all our actions across workflows use conventional tags i.e. actions/checkout@v4, etc which is overwritable and non-immutable leading to malicious use like:

Using commit SHA's like this actions/javascript-action@a824008085750b8e136effc585c3cd6082bd575f will be much more secure since it's immutable and is much more reliable than tags. Also, it's supported by dependabot too (which will add a comment about the semver version beside it)

i.e.

Image

Checkout https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow#using-shas to know more.

GitHub is internally working on an immutable releases feature too from what I heard, which will enforce something similar IG.
@kbdharun kbdharun added the security Issues/PRs related to security. label Mar 15, 2025
@Managor
Copy link
Collaborator

Managor commented Mar 15, 2025

Feels like no-brainer decision. I see no downsides.

@kbdharun kbdharun mentioned this issue Mar 26, 2025
Merged
1 task
@kbdharun kbdharun added the archive Archive of changes made in tldr-pages, etc. label Mar 26, 2025
@kbdharun kbdharun mentioned this issue Mar 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
archive Archive of changes made in tldr-pages, etc. security Issues/PRs related to security.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: update workflows to use commit hash tldr-pages/tldr
2 participants
@kbdharun @Managor