Skip to content

Maintenance: harden workflows by pinning 3rd party actions to full length SHA number #1025

Closed
@dreamorosi

Description

@dreamorosi

Problem statement

Workflows can use 3rd party actions. When specifying an action in a workflow you can use a version (i.e. actions/setup-node@v3) or specify a full length SHA number (i.e. peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305).

When using the first method two workflow executions could be using versions of a 3rd party action that correspond to different commits. This exposes the repository running the workflow to the risk of a bad actor adding a backdoor to the action's repository.

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate this risk, as they would need to generate a SHA-1 collision for a valid Git object payload.

Summary of the feature

Go through all existing workflows in this repo and pin all 3rd party actions to a specific full length SHA number.

Also, to avoid future oversights, add a workflow (see next section) that runs whenever a change is made under .github/workflows/* (the folder that contains the workflows ran by GitHub Actions and also only place where 3rd party actions can be defined/used).

As a maintainer, we should see the following error when non-compliant:
179009607-6cc0babb-5755-431c-9811-83635485d1a8

Code examples

See workflow used in the Powertools for Python repository here.

Benefits for you and the wider AWS community

Hardened security for the repository.

Describe alternatives you've considered

N/A

Additional context

Recommendations on hardening security in the official docs of GitHub Actions: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Related issues, RFCs

aws-powertools/powertools-lambda-python#1301

Metadata

Metadata

Assignees

Labels

automationThis item relates to automationcompletedThis item is complete and has been merged/shippedgood-first-issueSomething that is suitable for those who want to start contributinginternalPRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions