Pin all GitHub actions dependencies using hash rather than version

[gdams]

See https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies for more information

This change needs to be applied across all repositories in the Adoptium org

e.g rather than doing this:

- name: Checkout
  uses: actions/checkout@v3

Pin it to the latest Git hash like this:

- name: Checkout
  uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8

@mbarbero has a tool that may be able to help automate these changes as I appreciate that it's hardly ideal to do this work manually. Note that once we've made the change, Dependabot will then switch to using the hash for future updates so this won't need regularly updating

[tellison]

Take a look at the StepSecurity tool that does this, plus restricts permissions of actions.

I have used it to raise a PR on my fork of temurin-build as an example for us to look at.

[tellison]

see also: https://github.com/ossf/scorecard-action

[gdams]

Fix at temurin-build adoptium/temurin-build#3136 (review)

[karianna]

Will dependabot still tell us when we're out of date? Does it read those hashes?

[tellison]

Will dependabot still tell us when we're out of date? Does it read those hashes?

yes it does

[varunsh-coder]

Hi All, I am the maintainer of step-security/secure-workflows, which is the project that hosts the StepSecurity online tool mentioned in this thread.

Just wanted to let you know that Dependabot has recently implemented support to add tag info in comments next to the commit SHA. So secure-workflows will add support for that soon. Here is the tracking issue: step-security/secure-repo#1360

[tellison]

Hi @varunsh-coder, thank you for dropping in and being part of the conversation. I'm just looking for consensus from people before we run this on all our repos to improve security.

I like that secure-workflows comments on the permissions in a job to explain why the permission was granted ("for X to Y"), but the action permission comment just looks like an advertisement ("added using ..."), or am I missing something ;-)

[tellison]

Just wanted to let you know that Dependabot has recently implemented support to add tag info in comments next to the commit SHA. So secure-workflows will add support for that soon. Here is the tracking issue: step-security/secure-workflows#1360

We may well choose to wait for this to ensure the code is readable

[varunsh-coder]

Hi @varunsh-coder, thank you for dropping in and being part of the conversation. I'm just looking for consensus from people before we run this on all our repos to improve security.

I like that secure-workflows comments on the permissions in a job to explain why the permission was granted ("for X to Y"), but the action permission comment just looks like an advertisement ("added using ..."), or am I missing something ;-)

The idea is that if later on, one modifies the workflow, and needs to update the permissions, one can tell it was set using automation, and use it to update it. If you want, feel free to remove the comment in the forked branch. If I see more similar feedback, or see that more maintainers are spending time editing and removing it, I will update the automation to not add that ("added using") comment.

[gdams]

@varunsh-coder thanks for popping up in this thread, (and thanks for your excellent work putting together the secure-workflows project! One observation as an end user is that it seems that the repo URL strips out any string containing .git which makes sense at the end of the string but unfortunately causes issues when you pass a repo such as https://github.com/adoptium/.github (.github being a common repo in orgs for containing default workflows)

[varunsh-coder]

@varunsh-coder thanks for popping up in this thread, (and thanks for your excellent work putting together the secure-workflows project! One observation as an end user is that it seems that the repo URL strips out any string containing .git which makes sense at the end of the string but unfortunately causes issues when you pass a repo such as https://github.com/adoptium/.github (.github being a common repo in orgs for containing default workflows)

Thanks for letting me know. Will address it and get back.

[varunsh-coder]

@varunsh-coder thanks for popping up in this thread, (and thanks for your excellent work putting together the secure-workflows project! One observation as an end user is that it seems that the repo URL strips out any string containing .git which makes sense at the end of the string but unfortunately causes issues when you pass a repo such as https://github.com/adoptium/.github (.github being a common repo in orgs for containing default workflows)

Thanks for letting me know. Will address it and get back.

This issue is fixed.

[tellison]

Once we have been through and fixed all these versions to hases, how will we ensure no more versions creep in? Clearly we can keep running the tool every so often to check, and ask/hope that reviewers remember to check on a PR too. Both of those require humans.

Then there is a marketplace action to check it for us...

[tellison]

Plan is to wait until step-security/secure-repo#1087 is resolved before running on Adoptium repos. We agreed to set the minimal permissions scope and pin dependencies.

[tellison]

The PRs raised by the tool will fail the contributor agreement check (author is Anonymous (bot@****.io)). Will need to approve that.

[gdams]

The PRs raised by the tool will fail the contributor agreement check (author is Anonymous (bot@****.io)). Will need to approve that.

CC @chrisguindon @mbarbero we are going to need an exception in place for commits made by the Step Security bot in order to work around out ECA check

[mbarbero]

CC @chrisguindon @mbarbero we are going to need an exception in place for commits made by the Step Security bot in order to work around out ECA check

👍 +1 from me

[chrisguindon]

@mbarbero @gdams I am thinking that we need someone to make a feature request to our projects-bots-api to enable this exception as we did with 49699333+dependabot[bot]@users.noreply.github.com

https://github.com/EclipseFdn/projects-bots-api/blob/master/src/main/jsonnet/extensions.jsonnet

[tellison]

FYI, running the tool on some workflows will result in, for example,

KnownIssue-7: Action adoptium/.github/.github/workflows/pr-auto-merge.yml@main is a reusable workflow. Reusable workflows are not supported as of now.

Just for awareness, I believe we only reuse workflows that we have authored.

[tellison]

@gdams, since we don't know how long it will take to get a fix for step-security/secure-repo#1087 and EclipseFdn/projects-bots-api#14 I'm temped to use the tool to find the hashes and 'manually' produce a PR (authored by me) in the required format so we can start to progress this task. Shouldn't be more than an hour or so of grunt work. WDYT?

[gdams]

Yeah sounds good to me @tellison

[varunsh-coder]

Apologies for the delay in releasing the fix for the pinning issue. The part of going from vX -> vX.Y.Z is taking longer than expected. But we should have it out early next week.

[varunsh-coder]

On a related note to this thread, @boahc077 and I have been working with @mbarbero to onboard Eclipse orgs to a dashboard to track and improve the OpenSSF Scorecard score across repositories. For the adoptium GitHub org, you can find the link to the dashboard here: https://app.stepsecurity.io/github/app/eclipse/adoptium/repositories. The dashboard is not public since it aggregates scores across repositories. @gdams, @tellison, and @karianna, you should have access to it using your GitHub account. Please check it out. We will be happy to improve it based on feedback. Please let me know if anyone else also needs access to the dashboard. Thanks!

[tellison]

@gdams, @tellison, and @karianna, you should have access to it using your GitHub account.

FYI I'm seeing access forbidden at the moment and am authenticating with my GitHub account.

[varunsh-coder]

@gdams, @tellison, and @karianna, you should have access to it using your GitHub account.

FYI I'm seeing access forbidden at the moment and am authenticating with my GitHub account.

Sorry about that, there was an issue in setting up the access. When you get a chance, can you please try again?
https://app.stepsecurity.io/github/app/eclipse/adoptium/repositories

[tellison]

Sorry about that, there was an issue in setting up the access. When you get a chance, can you please try again?

That works now, thanks

[varunsh-coder]

Hi @varunsh-coder, thank you for dropping in and being part of the conversation. I'm just looking for consensus from people before we run this on all our repos to improve security.
I like that secure-workflows comments on the permissions in a job to explain why the permission was granted ("for X to Y"), but the action permission comment just looks like an advertisement ("added using ..."), or am I missing something ;-)

The idea is that if later on, one modifies the workflow, and needs to update the permissions, one can tell it was set using automation, and use it to update it. If you want, feel free to remove the comment in the forked branch. If I see more similar feedback, or see that more maintainers are spending time editing and removing it, I will update the automation to not add that ("added using") comment.

I wanted to share a few updates:

1. We got feedback from more maintainers about the "added using ..." comment for token permissions and that they had to spend time removing it. So that comment is no longer added when remediating issues using https://app.stepsecurity.io/securerepo
2. In addition to remediating token permissions and pinning GitHub Actions, https://app.stepsecurity.io/securerepo now supports adding/ updating the dependabot.yml file based on the project languages and adding a CodeQL workflow. We are working on automating the pinning of images in Dockerfiles. All these should further help improve the Scorecard score.