Pinned actions
GitHub added an option to enforce pinned actions and we are going to enable it end of the week. If you are using the templates from the workflow template repo, there is nothing todo (apart from a regular bump, see readme for steps).
If you have custom actions, you have to make sure that you are always specifying the full SHA.
- Dependabot bumps the version SHA and the version comment correctly.
- For renovate the following extension does that:
mail/renovate.json at 954dd1e8a05ee51ec7dccf14ead4acfd1a2f8040 · nextcloud/mail · GitHub
Sample
Before: uses: skjnldsv/check-actor-permission@v3
After: uses: skjnldsv/check-actor-permission@69e92a3c4711150929bca9fcf34448c5bf5526e7 # v3.0
The problem is that too many GitHub action repos got hacked/compromised in the past
and manipulated actions immediately leaked all secrets used there.
Cooldown for dependency updates
Additionally if you have a dependabot and renovate update actions (and other deps),
please make sure to add the 7 days cooldown:
- Dependabot: https://github.com/nextcloud/.github/blob/master/.github/dependabot.yml#L20-L21
- Renovate: mail/renovate.json at 954dd1e8a05ee51ec7dccf14ead4acfd1a2f8040 · nextcloud/mail · GitHub
This will make dependabot/renovate only send a PR after 7 days, so maintainers had a chance to revoke compromised releases before they roll out.
Validation / static analysis
In the meantime there is also static code analysis for action files. We can recommend zizmor for that (https://docs.zizmor.sh/)
# With dependabot
zizmor --min-severity medium .github/*/*.yml .github/dependabot.yml
# With renovate (as renovate is not yet supported)
zizmor --min-severity medium .github/*/*.yml
Pinning helper