tools: use actions pinned by commit hash on coverage-linux.yml #46294
Conversation
|
Review requested:
|
nodejs-github-bot
added
the
meta
Signed-off-by: Gabriela Gutierrez <[email protected]>
gabibguti
force-pushed
the
hash-pinned-actions
branch
from
6996e1c
to
cbd8c8a
Compare
gabibguti
changed the title
.github/workflows/coverage-linux.yml
Outdated
| @@ -37,11 +37,11 @@ jobs: | |||
| if: github.event.pull_request.draft == false | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v3 | |||
| - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |||
There was a problem hiding this comment.
Does it really make sense for Actions provided by GitHub? Since they're the ones who also provide the hardware, we have to trust them at some point, and keeping this updated seems more likely to happen if we're using a tag rather than a commit hash. +1 one for doing it for the codecov action though. wdyt?
There was a problem hiding this comment.
I agree with you it's debatable. After all, if GitHub itself gets hijacked we would have bigger problems. About keeping the hash updated it's a good point. Dependabot can take care of updating the hash and the version tag comment, which is more readable. But, yes, keeping the tag version or tag major can be a good option for GitHub actions if you folks prefer.
There was a problem hiding this comment.
Dependabot can take care of updating the hash and the version tag comment, which is more readable.
To provide context: dependabot/dependabot-core#4691 (comment)
There was a problem hiding this comment.
Shall we resolve the linting warning?
I do this pinning also in my personal projects but have the comment above the actual uses line.
Edit: seems according to the dependabot link like dependabot/dependabot-core#4691 (comment) only this comment format is supported? Not sure if the linting issue will go away without doing any further changes.
Might be a problem with the linting rules of GH.
There was a problem hiding this comment.
In my opinion it is good to pin all actions, also those of GitHub. We can not be sure if and who pushes what code. What if someone has bad intentions and joins GitHub just to get malicious code into such solutions?
Also at least I do not know which persons maintain the project, have push and write permissions and if I can trust every single one.
Some PRs also seem to be spam or malicious: https://github.com/actions/checkout/pulls
I doubt that the same persons who have access to the hardware at GH (totally different security restrictions) also work on the actions or have access to them.
Tags can also be changed / pointed to different commits at any time - at least in Git.
There was a problem hiding this comment.
I believe I fixed the lint warning but kept the version comment inline, cause, in my understanding, dependabot can only update the version comment inline.
There was a problem hiding this comment.
Perfect, thank you very much. This is ok for me as long as dependabot can automatically handle this.
|
cc: @nodejs/security-wg |
.github/workflows/coverage-linux.yml
Outdated
| @@ -37,11 +37,11 @@ jobs: | |||
| if: github.event.pull_request.draft == false | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v3 | |||
| - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |||
There was a problem hiding this comment.
Shall we resolve the linting warning?
I do this pinning also in my personal projects but have the comment above the actual uses line.
Edit: seems according to the dependabot link like dependabot/dependabot-core#4691 (comment) only this comment format is supported? Not sure if the linting issue will go away without doing any further changes.
Might be a problem with the linting rules of GH.
Dependabot version updates is not enabled, we could enable it if we configure it to only check for update for actions (other dependencies are updated by other automations, or manually, but we wouldn't want to use Dependabot for those I don't think). I would be more comfortable approving this PR if:
I realize this is asking for a lot of work, so I want to clarify that only the linter issue is blocking, the rest is just a proposal, and could happen in follow-up PRs. |
Signed-off-by: Gabriela Gutierrez <[email protected]>
|
@aduh95 I fixed the lint warning. I think we can add |
|
@gabibguti thanks for the PR it's good to see a concrete example @aduh95 we had asked for an example to start. I agree that we should enable for all and turn on dependabot for the actions as well. @gabibguti sounds like you are happy to do the rest and add the dependabot yaml. It might make sense to see what comments we get on this issue for a few more days before doing that larger piece of work. |
RafaelGSS
changed the title
|
@gabibguti I'm assuming we're going to have PRs for all actions, so it's better to provide the context in the title. |
|
@RafaelGSS Perfect! Totally agree and thanks for updating this PR title! |
|
Hey everyone, I'm taking some time because I'm looking into dependabot, but I ended up with the following two questions:
|
I think we could stick to security updates only. AFAIK nowadays the update is performed manually, so it won't change anything in our workflow. But, adding a workflow to update the actions once per month (regardless of security updates) would be great too. Wdyt @nodejs/tsc ? |
That's not quite correct for actions from GitHub (e.g. |
My thought is that sticking to security updates only is a good way to start. |
We already use dependabot in some of the project repos so sticking to that makes sense to me. As an existing example: https://github.com/nodejs/TSC/blob/main/.github/dependabot.yml |
|
Okay! For only security updates, we don't need If we do that, we don't need anything else in this PR. However, I could not fully understand if Dependabot works properly identifying actions vulnerabilities by just enabling the security updates check. That said, I think it's better to enable the version updates by adding |
My take is that we can try enabling the version updates by adding dependabot.yml |
Signed-off-by: Gabriela Gutierrez <[email protected]>
Signed-off-by: Gabriela Gutierrez <[email protected]>
|
@gabibguti is this ready to go from your perspective now? We are currently in lockdown due to the security release but after that if this is ready I'll take a look at landing it. |
Yeah! Just need to figure out the lint error to fix. |
|
@gabibguti made some suggestions which I think will resolve the linter issues if you want to review/accept them. |
Signed-off-by: Gabriela Gutierrez <[email protected]>
gabibguti
force-pushed
the
hash-pinned-actions
branch
from
9992139
to
2bda6e1
Compare
RafaelGSS
added
the
commit-queue-squash
@mhdawson We did it? |
|
@RafaelGSS We did add dependabot.yml for version updates of GHAs in this PR. The interval is monthly and limit of 10 PRs. |
Signed-off-by: Gabriela Gutierrez <[email protected]> PR-URL: #46294 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tierney Cyren <[email protected]>
|
Landed in ff89399 |
Signed-off-by: Gabriela Gutierrez <[email protected]> PR-URL: #46294 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tierney Cyren <[email protected]>
Signed-off-by: Gabriela Gutierrez <[email protected]> PR-URL: #46294 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Tierney Cyren <[email protected]>
As discussed in the Security WG's latest meeting, here is how to use actions by commit hash in GitHub workflows.
Motivation: Using actions by commit hash reference is a remediation for, when actions are compromised or go under a dependency confusion attack, you are not using the malicious version. This remediation along with using least privilege principle for each action in the workflow, makes it harder for a possible action hijacker to have high access to your repository.
Signed-off-by: Gabriela Gutierrez [email protected]
Related to: nodejs/security-wg#851