New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pin all GitHub actions dependencies using hash rather than version #187
Comments
Take a look at the StepSecurity tool that does this, plus restricts permissions of actions. I have used it to raise a PR on my fork of |
see also: https://github.com/ossf/scorecard-action |
Fix at temurin-build adoptium/temurin-build#3136 (review) |
Will dependabot still tell us when we're out of date? Does it read those hashes? |
yes it does |
Hi All, I am the maintainer of step-security/secure-workflows, which is the project that hosts the StepSecurity online tool mentioned in this thread. Just wanted to let you know that Dependabot has recently implemented support to add tag info in comments next to the commit SHA. So secure-workflows will add support for that soon. Here is the tracking issue: step-security/secure-repo#1360 |
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Hi @varunsh-coder, thank you for dropping in and being part of the conversation. I'm just looking for consensus from people before we run this on all our repos to improve security. I like that secure-workflows comments on the permissions in a job to explain why the permission was granted ("for X to Y"), but the action permission comment just looks like an advertisement ("added using ..."), or am I missing something ;-) |
We may well choose to wait for this to ensure the code is readable |
The idea is that if later on, one modifies the workflow, and needs to update the permissions, one can tell it was set using automation, and use it to update it. If you want, feel free to remove the comment in the forked branch. If I see more similar feedback, or see that more maintainers are spending time editing and removing it, I will update the automation to not add that ("added using") comment. |
@varunsh-coder thanks for popping up in this thread, (and thanks for your excellent work putting together the secure-workflows project! One observation as an end user is that it seems that the repo URL strips out any string containing |
Thanks for letting me know. Will address it and get back. |
This issue is fixed. |
Once we have been through and fixed all these versions to hases, how will we ensure no more versions creep in? Clearly we can keep running the tool every so often to check, and ask/hope that reviewers remember to check on a PR too. Both of those require humans. Then there is a marketplace action to check it for us... |
Plan is to wait until step-security/secure-repo#1087 is resolved before running on Adoptium repos. We agreed to set the minimal permissions scope and pin dependencies. |
The PRs raised by the tool will fail the contributor agreement check (author is |
CC @chrisguindon @mbarbero we are going to need an exception in place for commits made by the Step Security bot in order to work around out ECA check |
👍 +1 from me |
@mbarbero @gdams I am thinking that we need someone to make a feature request to our projects-bots-api to enable this exception as we did with 49699333+dependabot[bot]@users.noreply.github.com https://github.com/EclipseFdn/projects-bots-api/blob/master/src/main/jsonnet/extensions.jsonnet |
FYI, running the tool on some workflows will result in, for example,
Just for awareness, I believe we only reuse workflows that we have authored. |
@gdams, since we don't know how long it will take to get a fix for step-security/secure-repo#1087 and EclipseFdn/projects-bots-api#14 I'm temped to use the tool to find the hashes and 'manually' produce a PR (authored by me) in the required format so we can start to progress this task. Shouldn't be more than an hour or so of grunt work. WDYT? |
Yeah sounds good to me @tellison |
Apologies for the delay in releasing the fix for the pinning issue. The part of going from vX -> vX.Y.Z is taking longer than expected. But we should have it out early next week. |
On a related note to this thread, @boahc077 and I have been working with @mbarbero to onboard Eclipse orgs to a dashboard to track and improve the OpenSSF Scorecard score across repositories. For the |
Sorry about that, there was an issue in setting up the access. When you get a chance, can you please try again? |
That works now, thanks |
I wanted to share a few updates:
|
See https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies for more information
This change needs to be applied across all repositories in the Adoptium org
e.g rather than doing this:
Pin it to the latest Git hash like this:
@mbarbero has a tool that may be able to help automate these changes as I appreciate that it's hardly ideal to do this work manually. Note that once we've made the change, Dependabot will then switch to using the hash for future updates so this won't need regularly updating
The text was updated successfully, but these errors were encountered: