Add guidance on pinning GitHub Actions and container images #69
Comments
|
I propose to add recommendation somewhere under @open-telemetry/governance-committee @open-telemetry/technical-committee @open-telemetry/sig-security-maintainers, thoughts? |
|
Thanks for raising this, as far as I remember the OpenSSF Scorecard Automation should catch that as well and raise an issue on repositories |
|
The automation creates a PR that changes all actions to pinned. But personally I think it goes overboard and in Jaeger we went back to semver refs in some places. Eg you want pinned versions in a workflow that performs a release, but not in the integration tests. |
|
@yurishkuro, do you mind sharing why did you go back to semver? The recommendation, as I understand it, is to have this: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7Both tools can then open a PR bumping that upon a new version: https://github.com/open-telemetry/opentelemetry-collector-releases/pull/578/files I'm probably missing something, but if your integration tests are using semver with |
|
@jpkrohling 99% of the time there is no benefit for me as a maintainer in minor bumps of the versions of GH actions, but it's a constant maintenance burden to merge those PRs. For example, for all integration tests, it makes no difference if the setup-go action is v4, v4.1, or v4.1.2. So I can define it as v4 semver and never worry about bumps PRs from dependabot (I just ran a test for last year of commits in Jaeger, 30% of them were from dep bots). But I cannot do |
Sounds like an automation issue? Renovate has a "noise reduction" feature, so that it would group related dependencies (like "all github actions") into one single PR, and you can adjust the frequency: https://docs.renovatebot.com/noise-reduction/ |
I agree these PRs create a lot of clutter if nothing else
thanks, I'm trying this out: open-telemetry/opentelemetry-java-instrumentation#11829 |
We are already using the grouping of dependencies in Jaeger, but it's not enough - if a project depends on a dozen GH actions there's a high chance at least one will have a new patch every week, which will create a new PR that provides exactly 0 value to me. So another thing I do is restrict certain groups to minor version bumps only & ignore patches. |
Patches use to have bugfixes (including security fixes). Not bumping them may not appropriate from security perspective. |
|
After introducing support for digest in testcoinares, Ref: |
Why
A bad actor can force push a tag so that GitHub Action to do some malicious actions.
A bad actor can push a malicious container image under the same name.
What
We should use digest pinning to mitigate the possibility of using a malicious GitHub Actions and container images.
It should also make the build more reproducible.
Some references:
When using GitHub Actions we can add a comment with a after the digest (e.g.
actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 # v2.1.0).Both Renovate and Dependabot can bump both the digest and the tag in the comment:
When using container images we can add the digest at the end (e.g.
node:14.15.1@sha256:d938c1761e3afbae9242848ffbb95b9cc1cb0a24d889f8bd955204d347a7266e).Both Renovate and Dependabot can bump the image name and the digest as well:
The text was updated successfully, but these errors were encountered: