Expand github action pinning guidance to include update approach #868
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
willp-bl
previously requested changes
Feb 8, 2024
huwd
commented
Feb 9, 2024
huwd
commented
Feb 9, 2024
|
This seems like a good change to me and is inline with what we're already doing in some places. I'm happy to approve when the comments are resolved. |
SHA pinning is a sensible approach to mitigate potential supply chain attacks. See some great blog posts here on the approach: https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash also https://michaelheap.com/improve-your-github-actions-security/#using-pin-github-action However one down side is that SHA's are not very human readable. It can be difficult to tell from the SHA if the version we've pinned has an update, or if that update is a security or important fix. Best practice therefore is to place a comment after the pinned version listing the semantic version for a third party github action. This gets you best of both worlds, maintainability plus certainty. It might look at bit like this: ``` jobs: check-pull-request: runs-on: ubuntu-latest steps: - name: Check out repository code uses: actions/checkout@ee066bloop # pin @v2 - name: Install Ruby uses: ruby/setup-ruby@22acsewblah # pin@v1 ``` Consistency here also helps us manage this code in line with the GDS Way requirement to Update dependencies frequently when managing third party dependencies: https://gds-way.digital.cabinet-office.gov.uk/standards/tracking-dependencies.html#update-dependencies-frequently Since October 2022 DependaBot will now look for comments on SHA pinning and automatically suggest updates. Similar approaches may be possible for other dependency management tools. Dependabot currently supports a range of different comment syntaxses which can be viewed here: dependabot/dependabot-core#5951 (comment) I've tried to keep the guidance general and open, leaving detail to this commit history, given the range of different tools on use across GDS. The principles are: - Pin your actions using SHAs - Ensure human readability by commenting the semver on the line with the action - Explore if your usual dependency management process, especially automated ones like DependaBot can help flag and raise visibility on new versions.
|
Rightio folks, |
|
Slight nudge here: Would anyone mind re-reviewing based on queries and resolutions above? |
heathd
approved these changes
Jul 24, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SHA pinning is a sensible approach to mitigate potential supply chain attacks. See some great blog posts here on the approach:
https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash also
https://michaelheap.com/improve-your-github-actions-security/#using-pin-github-action
However one down side is that SHA's are not very human readable. It can be difficult to tell from the SHA if the version we've pinned has an update, or if that update is a security or important fix.
Best practice therefore is to place a comment after the pinned version listing the semantic version for a third party github action.
This gets you best of both worlds, maintainability plus certainty.
It might look at bit like this:
Consistency here also helps us manage this code in line with the GDS Way requirement to Update dependencies frequently when managing third party dependencies:
https://gds-way.digital.cabinet-office.gov.uk/standards/tracking-dependencies.html#update-dependencies-frequently
Since October 2022 DependaBot will now look for comments on SHA pinning and automatically suggest updates. Similar approaches may be possible for other dependency management tools.
Dependabot currently supports a range of different comment syntaxses which can be viewed here:
dependabot/dependabot-core#5951 (comment)
I've tried to keep the guidance general and open, leaving detail to this commit history, given the range of different tools on use across GDS.
The principles are:
Looks like