[CI:DOCS] Pin actions to a full length commit SHA

[naveensrinivasan]

• Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
• Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

Pin actions to a full length commit SHA

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Also, dependabot supports upgrading based on SHA.

Signed-off-by: naveensrinivasan [email protected]

Similar to containers/podman#13564 and was also asked to do a PR here containers/podman#13564 (comment)

What type of PR is this?

/kind other

What this PR does / why we need it:

How to verify it

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

[naveensrinivasan]

@cevich 👀 please

[TomSweeneyRedHat]

An interesting twist on the sha versus version. I've always liked the version, but I can see the reasoning. How do you check that you have the right sha tthough? i.e. Someone comes in later and says, there's a security issue, need to change the sha now, but then they point at a sha with the security issue.... I just worry that we secure one thing, but open another equally large door the other way. Or maybe it's just to late for me to be thinking! ;^)

[naveensrinivasan]

I also updated the PR to include comments on checking the SHA with the GitHub URL. You don't need to trust me 😉

[flouthoc]

Would this require more maintenance ? I think maintaining version is more easier as compared to exact SHA but I'll let @cevich decide.

[cevich]

(Copy-paste from containers/podman#13564)

Your concern is valid. Based on my understanding of the underlying issue, the argument is tags can be changed, but sha's cannot. So as long as trusted actors ensure the correct sha is used, any malicious actions on the tag are irrelevant. But you're right, and it's a PITA, and places more burden on the users of github-actions. Biting my tongue on my opinions on the system, additional security/safety nearly always comes at a cost of additional time, money, and headaches.

[cevich]

Ugh, I don't enjoy being "that guy" 🤓 Please check the rest of the version-comment lines, nearly every one has trailing-white-space 😢

[naveensrinivasan]

Ugh, I don't enjoy being "that guy" 🤓 Please check the rest of the version-comment lines, nearly every one has trailing-white-space 😢

Thanks 🤞 I hope I got everything. PTAL. Thanks!

[naveensrinivasan]

Ugh, I don't enjoy being "that guy" 🤓 Please check the rest of the version-comment lines, nearly every one has trailing-white-space 😢

Thanks 🤞 I hope I got everything. PTAL. Thanks!

@cevich Let me know. Thanks

[cevich]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cevich, naveensrinivasan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cevich]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cevich]

And many 🍪 for taking care of this and putting up with me 😁

[rhatdan]

/lgtm