🌱 Pin actions to a full length commit SHA

[naveensrinivasan]

What this PR does / why we need it:

Only pinned the non-github actions

• Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
• Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Also, dependabot supports upgrading based on SHA.

Signed-off-by: naveensrinivasan [email protected]

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

[k8s-ci-robot]

Hi @naveensrinivasan. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign vincepri after the PR has been reviewed.
You can assign the PR to them by writing /assign @vincepri in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sbueringer]

I assume this was not done?

Included permissions for the action.

(just because it was mentioned in the PR description)

[sbueringer]

/ok-to-test

[naveensrinivasan]

I assume this was not done?

Included permissions for the action.

(just because it was mentioned in the PR description)

Yes. I will do that as a separate PR. My apologies for the wrong message.

[sbueringer]

@naveensrinivasan My bad. I missed that they actually have a v7 and a v7.0.0 tag in this repo. That's why I though it is not just the commit id of the repo.

Do you know if dependabot will update the comment including the tag and the URL automatically?

Anyway for me it would be fine to drop the URL. I just didn't know / misread that it's directly a commit ID on the repo. I thought it might be a sha of a published "action artifact" or something.

[sbueringer]

If we keep the URL, can you please link to those URLs instead: https://github.com/EndBug/add-and-commit/releases/tag/v7

This way the tag can be directly mapped to the commit id

[naveensrinivasan]

TBH I use the API to get the URL. Sorry, As of now I can do this.

[sbueringer]

v1 seems to be:
https://github.com/softprops/action-gh-release/releases/tag/v1 => 1e07f4398721186383de40550babbdf2b84acfc5

[sbueringer]

I couldn't find 4716bde57e0fcda6ce83002e2469b8a90e560573

[killianmuldoon]

API endpoint (from above) seems to point to the same release commit commit if I'm reading the api endpoint right:
softprops/action-gh-release@1e07f43

I'm not sure why the shas are different though, but I guess it's the tag i.e. https://docs.github.com/en/rest/reference/git#tags

[naveensrinivasan]

I couldn't find 4716bde57e0fcda6ce83002e2469b8a90e560573

Have you had a chance to look at this URL https://api.github.com/repos/softprops/action-gh-release/git/tags/4716bde57e0fcda6ce83002e2469b8a90e560573 ?

[sbueringer]

Hm maybe some GitHub issue. The URL didn't work for me a few hours before.

But v1 is definitely not pointing to this commit: https://github.com/softprops/action-gh-release/releases/tag/v1

[naveensrinivasan]

I wrote something up https://gist.github.com/naveensrinivasan/ca008c07279176acce28969fb77d056f hope this helps.

[sbueringer]

Okay got the API query issue. But couldn't we just use the commit id linked at the release in the GitHub UI?
=> https://github.com/softprops/action-gh-release/releases/tag/v1 (softprops/action-gh-release@1e07f43)

[sbueringer]

But I think the most important question is, what would dependabot do?

Does it update to the latest release or the latest tag and which sha would it use then?

And also would it update the URL comment, because I prefer not adding the URL if we would have to update it manually after each dependabot PR to bump actions

[naveensrinivasan]

It wouldn't add the URL. The dependabot would update to the latest tag instead of the version.

[sbueringer]

It wouldn't add the URL

Okay then let's drop the URLs

Would it update the comment with the tag behind the sha?

update to the latest tag instead of the version

To clarify, the latest tag instead of the latest release? (or what do you mean with version?)

[k8s-ci-robot]

@naveensrinivasan: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vincepri]

Any updates on this PR?

[sbueringer]

I think in general we are basically happy with the way actions are automatically bumped by dependabot right now.

The only gap is that we are using tags so we're not safe against folks moving tags around.

If we have a good way to automatically bump GitHub actions based on sha's while still preserving the info which corresponding tag it is we can move forward.

[naveensrinivasan]

Any updates on this PR?

Sorry I need to recall what needs to be done for this. Should I just drop the URL's would that suffice to merge this in. Please let me know. I can rebase and make that change.

Just an FYI dependabot doesn't update the comment on the version so it becomes obsolete.

[sbueringer]

I can't really decide it on my own, but I'm not sure if we want to have the sha instead of the tag.

It's more secure, but for humans it's hard to know which version of an action we are using.

@vincepri WDYT?

[vincepri]

Unless dependabot can update sha's automatically based on tags, I'd leave it as is and use tags for now

[naveensrinivasan]

Unless dependabot can update sha's automatically based on tags, I'd leave it as is and use tags for now

Dependabot can update sha's automatically based on tags.

[sbueringer]

I think the only problem is that we won't have the tags in the workflow YAMLs. So dependabot will bump the same way but if we want to know what we're using we have to lookup sha => tag manually.

[naveensrinivasan]

I think the only problem is that we won't have the tags in the workflow YAMLs. So dependabot will bump the same way but if we want to know what we're using we have to lookup sha => tag manually.

Yes and I wrote how it can be done here https://gist.github.com/naveensrinivasan/ca008c07279176acce28969fb77d056f

[fabriziopandini]

I understand security concerns, but at least from my point of view what mostly impacts us is maintainability and human-readable tags make it easy.

I saw this PR adds a comment after SHA to find a middle ground; is dependabot doing the same when it bumps a new release? I there an example of those bumps in other projects?
If we can't find a middle ground that makes the maintainers comfortable, I'm -1 to this change

[naveensrinivasan]

I understand security concerns, but at least from my point of view what mostly impacts us is maintainability and human-readable tags make it easy.

I saw this PR adds a comment after SHA to find a middle ground; is dependabot doing the same when it bumps a new release? I there an example of those bumps in other projects? If we can't find a middle ground that makes the maintainers comfortable, I'm -1 to this change

Dependabot doesn't add comments to the version of the SHA that is pinned. That is an issue.

[chrischdi]

For dependabot: there is an issue which would help to have the best of both (pin by hash and have the tag in a comment): dependabot/dependabot-core#4691

However, this did not get implemented as of today.

[sbueringer]

Thx for the links. I subscribed to those issues. I would personally prefer waiting with sha pinning until updating the comment is implemented.

[fabriziopandini]

+1 to wait for a version of dependabot that adds the comment

[naveensrinivasan]

Sounds good.