Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin Github Action versions in CI #34

Merged
merged 2 commits into from
Jun 28, 2024
Merged

Pin Github Action versions in CI #34

merged 2 commits into from
Jun 28, 2024

Conversation

bjosv
Copy link
Collaborator

@bjosv bjosv commented Jun 27, 2024

Pin the Github Actions we use in CI to a release hash according to secure software development best practices,
recommended by the Open Source Security Foundation (OpenSSF).

When developing a CI workflow, it's common to version-pin dependencies (i.e. actions/checkout@v4).
However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead. Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.

See details:
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

bjosv added 2 commits June 27, 2024 19:13
@bjosv
Pin versions of Github actions in CI
3ce9113 
Signed-off-by: Björn Svensson <[email protected]>
@bjosv
Pin actions/checkout version in CI
e5ec011 
Update all jobs except on CentOS 7 which requires an older version.

Signed-off-by: Björn Svensson <[email protected]>
@bjosv bjosv requested a review from michael-grunder June 27, 2024 19:08
michael-grunder
michael-grunder approved these changes Jun 27, 2024
View reviewed changes
Copy link
Collaborator

@michael-grunder michael-grunder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those crafty hackers 😄

@bjosv bjosv merged commit a84615c into valkey-io:main Jun 28, 2024
40 of 43 checks passed
@bjosv bjosv deleted the pin-actions branch June 28, 2024 07:02
michael-grunder pushed a commit to michael-grunder/libvalkey that referenced this pull request Aug 1, 2024
@bjosv @michael-grunder
Pin Github Action versions in CI (valkey-io#34)
bc1a9ad 
Pin the Github Actions we use in CI to a release hash according to
secure software development best practices, recommended by the
Open Source Security Foundation (OpenSSF).

When developing a CI workflow, it's common to version-pin dependencies
(i.e. actions/checkout@v4). However, version tags are mutable, so a
malicious attacker could overwrite a version tag to point to a malicious or
vulnerable commit instead. Pinning workflow dependencies by hash ensures
the dependency is immutable and its behavior is guaranteed.
See details:
https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Signed-off-by: Björn Svensson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michael-grunder michael-grunder michael-grunder approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bjosv @michael-grunder