chore: Pin GitHub Actions to commit SHA #4562
Conversation
alexsohn1126
changed the title
alexsohn1126
requested review from
Flash0ver and
jamescrosswell
as code owners
alexsohn1126
changed the title
alexsohn1126
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
@sentry review |
![seer-by-sentry[bot]](https://avatars.githubusercontent.com/in/801464?s=60&v=4){kind=small}
alexsohn1126
changed the title
github needs to run actions/checkout before it can see local actions.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4562 +/- ##
==========================================
- Coverage 73.49% 73.48% -0.02%
==========================================
Files 482 482
Lines 17678 17678
Branches 3493 3493
==========================================
- Hits 12993 12991 -2
- Misses 3797 3798 +1
- Partials 888 889 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@sentry review |
|
bugbot review |
alexsohn1126
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Some remaining tags in |
|
And one more comment missing ... for consistency: -uses: jlumbroso/free-disk-space@f68fdb76e2ea636224182cfb7377ff9a1708f9b8
+uses: jlumbroso/free-disk-space@f68fdb76e2ea636224182cfb7377ff9a1708f9b8 # v1.3.0 |
|
I'm definitely not a fan of this change. If everyone else really wants to do this, then I'll go with the flow, but I far prefer the readable tags/labels to the commit hashes... and the problem we're trying to solve here seems like a highly unlikely hypothetical problem. Do we know anyone who has been scorched by this? |
|
https://snyk.io/blog/reconstructing-tj-actions-changed-files-github-actions-compromise/ @jamescrosswell This seems to be an example of what a possible attack could look like. |
I see... depressing. That will make it much harder to review PRs. If I see a commit hash, the only way I have of verifying whether it's doing what we intend it to do is by going back to the repo where the action comes from, checking whether the appropriate label has been applied to that commit hash and also checking to make sure the commit hash doesn't correspond to an orphaned branch. Probably not the kind of thing humans should be spending their time doing (and we wouldn't do it very reliably even if we tried). |
|
I agree it's way more cumbersome to have commit hashes instead of version tags. Dependabot automates the actual updates, but that doesn't change the fact that we (should) review those PRs. I think it is worth the extra security in my opinion though. Other repos in Sentry also pin official GitHub Actions - such as Note: something I found during my research - Open Source Security Foundation (OSSF) recommends people to pin GH Actions to commit SHAs too. See second last point in https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies I'm not saying OSSF is a omnipresent source for GitHub Action security, but with 5k stars, seems pretty reputable. Just for fun, you can see |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
Given that we seem to be forced to do this, I can't see any problem with the PR (assuming all of the commit hashes are correct). @vaind are there still some changes you wanted? At the moment the PR is blocked pending some changes you requested. |
|
Hm, @Flash0ver it looks like you've got a blocking change request as well. Has this been addressed now? |
Flash0ver
left a comment
Flash0ver
left a comment
There was a problem hiding this comment.
Thanks for the reminder @jamescrosswell.
Apart from the security aspects, I also like the consistency and reproducibility.
alexsohn1126
deleted the
alexsohn/chore/use-commit-sha-for-github-actions
branch
Pin GitHub Actions to commit SHA for security reasons, as well as consistency and reproducibility.
Closes #4540
Problem
According to GitHub Actions security best practices, we should pin actions to a full-length commit SHA.
#skip-changelog
Note
Pins all CI actions and reusable workflows to specific commit SHAs across GitHub workflows and the buildnative composite action.
actions/checkout@v5,actions/cache@v4(andcache/restore),actions/upload-artifact@v4,actions/download-artifact@v5,codecov/codecov-action,microsoft/setup-msbuild.docker/login-action,docker/setup-qemu-action,docker/setup-buildx-action,docker/build-push-action.github/codeql-action/{init,analyze},gradle/actions/setup-gradle,reactivecircus/android-emulator-runner,styfle/cancel-workflow-action.getsentry/github-workflows(danger, updater),getsentry/action-prepare-release,getsentry/github-workflows/sentry-cli/integration-test..github/actions/buildnative):actions/cache@v3with pinnedactions/cache@v4SHAs for C and Android supplemental builds.Written by Cursor Bugbot for commit 4783fed. This will update automatically on new commits. Configure here.