github-action-await-vercel icon indicating copy to clipboard operation
github-action-await-vercel copied to clipboard
verified publisher icon UnlyEd

Reference SHAs instead of refs for external GitHub Actions in ".workflows"

Open Vadorequest opened this issue 5 years ago • 1 comments

Is your feature request related to a problem? Please describe. It's unsafe to reference refs, it's safer to references SHAs, especially if we provide Secrets or other sensitive information.

Describe the solution you'd like We might use something like https://github.com/mheap/pin-github-action and have scripts that run it against our workflows files. And automate it somehow, so that it is enforced.

Describe alternatives you've considered Doing it manually. Not great DX.

Additional context https://michaelheap.com/improve-your-github-actions-security/

Vadorequest avatar Dec 17 '20 18:12 Vadorequest

Use https://github.com/marketplace/actions/ensure-sha-pinned-actions for enforcing rule is applied automatically. See https://michaelheap.com/ensure-github-actions-pinned-sha/

Vadorequest avatar Jan 04 '21 18:01 Vadorequest