Description
Problem statement
Workflows can use 3rd party actions. When specifying an action in a workflow you can use a version (i.e. actions/setup-node@v3) or specify a full length SHA number (i.e. peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305).
When using the first method two workflow executions could be using versions of a 3rd party action that correspond to different commits. This exposes the repository running the workflow to the risk of a bad actor adding a backdoor to the action's repository.
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate this risk, as they would need to generate a SHA-1 collision for a valid Git object payload.
Summary of the feature
Go through all existing workflows in this repo and pin all 3rd party actions to a specific full length SHA number.
Also, to avoid future oversights, add a workflow (see next section) that runs whenever a change is made under .github/workflows/* (the folder that contains the workflows ran by GitHub Actions and also only place where 3rd party actions can be defined/used).
As a maintainer, we should see the following error when non-compliant:
Code examples
See workflow used in the Powertools for Python repository here.
Benefits for you and the wider AWS community
Hardened security for the repository.
Describe alternatives you've considered
N/A
Additional context
Recommendations on hardening security in the official docs of GitHub Actions: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions