gitops-acl-action icon indicating copy to clipboard operation
gitops-acl-action copied to clipboard
verified publisher icon tailscale

Pin GitHub Actions to commit SHAs and document security practices

Open Miladiir opened this issue 2 months ago • 0 comments

This pull request was done using github copilot only. I created this pr since according to new github actions best practices and settings the current version of the action does not run anymore in my tailscale gitops repository.

All GitHub Actions must be pinned to immutable commit SHAs to prevent supply chain attacks and ensure reproducible builds.

Changes

action.yml

  • Pinned actions/setup-go@v5@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 (v5.5.0)
  • Fixed malformed error message (missing closing quote)

CONTRIBUTING.md (new)

  • Action pinning standard: commit SHAs with version comments
  • Guidelines for adding/updating actions
  • Security best practices for GitHub Actions
  • Documentation on maintaining README examples when Dependabot updates actions

README.md

  • Updated example workflow with pinned actions:
    • actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 (v4.3.1)
    • actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 (v4.3.0)
  • tailscale/gitops-acl-action@90d41601ba36b946cf4946ef5a72bf6e16bae14b (v1.3.1)
  • Added security note linking to CONTRIBUTING.md
  • Added note explaining Dependabot doesn't automatically update README examples and directing users to releases page for latest versions

Dependabot

  • Verified existing configuration covers composite action (action.yml) and workflows

Format

- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0

Commit SHA is immutable; version comment aids human readability. Dependabot will automatically update pins weekly.

Note: Dependabot only updates action references in action.yml and workflow files, not code examples in markdown files. Maintainers should manually update README examples when Dependabot creates update PRs.

  • Fixes Miladiir/gitops-acl-action#1
Original prompt

This section details on the original issue you should resolve

<issue_title>Pin all referenced GitHub Actions and configure Dependabot for dependencies</issue_title> <issue_description>## Summary All referenced and used GitHub Actions in this repository should be pinned to a specific version (commit SHA or tag) to enhance security and prevent unexpected changes or supply chain attacks. Additionally, if possible, configure Dependabot to help automatically pin and update dependencies, including action versions and package dependencies (if any).

This repository is an Actions provider (with its main entrypoint in action.yml), so ensure any actions (such as uses: steps) or tool dependencies referenced in action.yml—especially in the steps: field—are pinned just as strictly as in workflow YAMLs (e.g., .github/workflows/). The configuration for Dependabot should also consider both workflow usage and references within action.yml.

GitHub Actions best practices

  • Pin third-party actions to a full commit SHA when possible; if using tags, prefer immutable tags and regularly update them.
  • Limit permissions in workflows using the permissions key to the minimal set required (least privilege).
  • Use the official GitHub Actions and verified creators when available; review action code before adopting.
  • Avoid passing secrets or the full GITHUB_TOKEN to untrusted third-party actions; use inputs and secrets sparingly.
  • Prefer reusable workflows and composite actions for shared logic and pin those references as well.
  • Avoid running untrusted remote code (e.g., run: curl | bash) in workflows or within action.yml.
  • Use Dependabot for changelog and security updates, and consider scheduling periodic reviews of action pins.
  • Use workflow or environment protection rules (branch protection, required reviewers) for sensitive workflows.

Tasks

  • Audit all GitHub workflow files (under .github/workflows/) for usages of GitHub Actions.
  • Audit the root-level action.yml (Marketplace entrypoint) for any uses: or tool version references.
  • Pin each action usage to a specific version (preferably a commit SHA for best security) in both workflow files and in the action.yml.
  • Ensure there are no @main, @latest, or other floating tags in action or tool references, including in the composite action steps within action.yml.
  • Investigate and, if possible, configure Dependabot:
  • Enable for GitHub Actions versions in both workflows and the top-level composite action.
  • Enable for package dependencies if present (e.g., package.json, requirements.txt).
  • Document the pinning standard and GitHub Actions best practices in the repository documentation (e.g., in a CONTRIBUTING.md or repository README).

Acceptance Criteria

  • All GitHub Actions are pinned to static versions in workflows and within composite action definitions (action.yml).
  • Dependabot is enabled/configured for actions and dependencies.
  • All workflows and composite actions follow GitHub Action best practices (as per the official documentation).
  • Team is notified of completed migration and pinning standard.

</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes Miladiir/gitops-acl-action#1

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Miladiir avatar Nov 21 '25 12:11 Miladiir