Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace github workflow action version to use commit hashes #6177

Open
3 tasks
jackstockley89 opened this issue Sep 20, 2024 · 0 comments
Open
3 tasks

Replace github workflow action version to use commit hashes #6177

jackstockley89 opened this issue Sep 20, 2024 · 0 comments
Labels
needs-refining security

Comments

@jackstockley89
Copy link
Contributor

Background

GitHub security good practices documentation says you should use the commit hash instead of the version

`Pin actions to a full-length commit SHA

Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.`

Approach

Review all actions and replace all versions with commit hashes as this is best practice and covers Cloud Platform for the future

Definition of done

  • All actions checked and changed
  • Test actions still run
  • Another team member has reviewed

Reference

Security Guide
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-refining security
Projects
Cloud Platform
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jackstockley89