Skip to content

Ensure workflow reliability by hash-pinning GitHub Actions #876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pnacht opened this issue Sep 13, 2023 · 1 comment
Closed

Ensure workflow reliability by hash-pinning GitHub Actions #876

pnacht opened this issue Sep 13, 2023 · 1 comment
Labels
type:bug

Comments

@pnacht
Copy link
Contributor

pnacht commented Sep 13, 2023

When developing CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v4). But version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.

Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

These hashes can be automatically updated by dependabot. Whenever new versions Actions are released, you'll receive a single PR updating all of their hashes and version comments at once (see this example).

I'll send a PR pinning the Actions and setting up dependabot along with this issue.
@pnacht pnacht mentioned this issue Sep 13, 2023
Closed
@pnacht
Copy link
Contributor Author

pnacht commented Sep 14, 2023

Closing this after the discussion in #877.

@pnacht pnacht closed this as not planned Won't fix, can't repro, duplicate, stale Sep 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Pinned gha pnacht/keras-core
2 participants
@pnacht @sachinprasadhs