-
Notifications
You must be signed in to change notification settings - Fork 779
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CI:DOCS] Pin actions to a full length commit SHA #3872
[CI:DOCS] Pin actions to a full length commit SHA #3872
Conversation
@cevich 👀 please |
An interesting twist on the sha versus version. I've always liked the version, but I can see the reasoning. How do you check that you have the right sha tthough? i.e. Someone comes in later and says, there's a security issue, need to change the sha now, but then they point at a sha with the security issue.... I just worry that we secure one thing, but open another equally large door the other way. Or maybe it's just to late for me to be thinking! ;^) |
73763c7
to
f5bbbaa
Compare
I also updated the PR to include comments on checking the SHA with the GitHub URL. You don't need to trust me 😉 |
Would this require more maintenance ? I think maintaining version is more easier as compared to exact SHA but I'll let @cevich decide. |
(Copy-paste from containers/podman#13564) Your concern is valid. Based on my understanding of the underlying issue, the argument is tags can be changed, but sha's cannot. So as long as trusted actors ensure the correct sha is used, any malicious actions on the tag are irrelevant. But you're right, and it's a PITA, and places more burden on the users of github-actions. Biting my tongue on my opinions on the system, additional security/safety nearly always comes at a cost of additional time, money, and headaches. |
f5bbbaa
to
467f481
Compare
467f481
to
5d43072
Compare
Ugh, I don't enjoy being "that guy" 🤓 Please check the rest of the version-comment lines, nearly every one has trailing-white-space 😢 |
Signed-off-by: naveensrinivasan <[email protected]>
5d43072
to
0be4f5e
Compare
Thanks 🤞 I hope I got everything. PTAL. Thanks! |
@cevich Let me know. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cevich, naveensrinivasan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
And many 🍪 for taking care of this and putting up with me 😁 |
/lgtm |
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Also, dependabot supports upgrading based on SHA.
Signed-off-by: naveensrinivasan [email protected]
Similar to containers/podman#13564 and was also asked to do a PR here containers/podman#13564 (comment)
What type of PR is this?
/kind other
What this PR does / why we need it:
How to verify it
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
Does this PR introduce a user-facing change?