Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: pin all GH Actions #12619

Merged
merged 2 commits into from Feb 5, 2024
Merged

ci: pin all GH Actions #12619

merged 2 commits into from Feb 5, 2024

Conversation

agilgur5
Copy link
Member

@agilgur5 agilgur5 commented Feb 4, 2024
edited

Partial fix for #12031, "Pinned Dependencies"

Motivation

  • git tags are mutable, while SHAs are immutable, so SHAs are recommended for better supply chain security
    • Note that dependabot knows how to update both the SHA and the version comment

Modifications

  • add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to lint job to ensure all actions stay pinned

  • Pinned all actions, as listed below, from "most trusted" to "least trusted" (zero trust all though, but potentially relevant for risk assessment purposes):

    • Published by GitHub:

      • pin actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 (c.f. v4.1.1)
      • pin actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 (c.f. v5.0.0)
      • pin actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 (c.f. v4.0.1)
      • pin actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 (c.f. v5.0.0)
      • pin actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0 (c.f. v4.0.0)
      • pin actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 (c.f. v3.3.3)
      • pin actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 (c.f. v3.1.3)
      • pin actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 (c.f. v3.0.2)
      • pin actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 (c.f. v9.0.0)
      • pin dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0 (c.f. v1.6.0)

    • Published by Docker, Azure/MSFT, then sigstore:

      • pin docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 (c.f. v3.0.0)
      • pin docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 (c.f. v5.1.0)
      • pin docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 (c.f. v3.0.0)
      • pin docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 (c.f. v3.0.0)
      • pin Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1 (c.f. v1.0.1)
      • pin sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 (c.f. v3.4.0)

    • Published by Snyk:

      • pin snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 (c.f. v0.4.0)
      • pin snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 (c.f. v0.4.0)

    • Published by third-party / indie:

      • pin tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2 (c.f. v41.1.2)
      • pin softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1 (c.f. v1)
      • pin amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 (c.f. v5.4.0)
      • pin peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2 (c.f. v5.0.2)

Verification

CI passes

@agilgur5
ci: pin all GH Actions
d2c55be 
- `git` tags are mutable, while SHAs are immutable, so SHAs are [recommended](https://github.com/ossf/scorecard/blob/8eaf0d7647a3f50d80615812c72a277fd568fb6d/docs/checks.md#pinned-dependencies) for better supply chain security
  - Note that dependabot [knows how to](https://github.blog/changelog/2022-10-31-dependabot-now-updates-comments-in-github-actions-workflows-referencing-action-versions/) update both the SHA and the version comment

- add https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions to `lint` job to ensure all actions stay pinned

- All pins listed below:
  - pin `actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1` (c.f. [v4.1.1](https://github.com/actions/checkout/releases/tag/v4.1.1))
  - pin `actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-go/releases/tag/v5.0.0))
  - pin `actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1` (c.f. [v4.0.1](https://github.com/actions/setup-node/releases/tag/v4.0.1))
  - pin `actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0` (c.f. [v5.0.0](https://github.com/actions/setup-python/releases/tag/v5.0.0))
  - pin `actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4.0.0` (c.f. [v4.0.0](https://github.com/actions/setup-java/releases/tag/v4.0.0))
  - pin `actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3` (c.f. [v3.3.3](https://github.com/actions/cache/releases/tag/v3.3.3))
  - pin `actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3` (c.f. [v3.1.3](https://github.com/actions/upload-artifact/releases/tag/v3.1.3))
  - pin `actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2` (c.f. [v3.0.2](https://github.com/actions/download-artifact/releases/tag/v3.0.2))
  - pin `actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0` (c.f. [v9.0.0](https://github.com/actions/stale/releases/tag/v9.0.0))
  - pin `dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0` (c.f. [v1.6.0](https://github.com/dependabot/fetch-metadata/releases/tag/v1.6.0))

  - pin `docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-buildx-action/releases/tag/v3.0.0))
  - pin `docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0` (c.f. [v5.1.0](https://github.com/docker/build-push-action/releases/tag/v5.1.0))
  - pin `docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/setup-qemu-action/releases/tag/v3.0.0))
  - pin `docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0` (c.f. [v3.0.0](https://github.com/docker/login-action/releases/tag/v3.0.0))
  - pin `Azure/docker-login@83efeb77770c98b620c73055fbb59b2847e17dc0 # v1.0.1` (c.f. [v1.0.1](https://github.com/Azure/docker-login/releases/tag/v1.0.1))
  - pin `sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0` (c.f. [v3.4.0](https://github.com/sigstore/cosign-installer/releases/tag/v3.4.0))

  - pin `snyk/action/golang@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0))
  - pin `snyk/action/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0` (c.f. [v0.4.0](https://github.com/snyk/actions/releases/tag/0.4.0))

  - pin `tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2` (c.f. [v41.1.2](https://github.com/tj-actions/changed-files/releases/tag/v41.1.2))
  - pin `softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1` (c.f. [v1](https://github.com/softprops/action-gh-release/releases/tag/v1))
  - pin `amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0` (c.f. [v5.4.0](https://github.com/amannn/action-semantic-pull-request/releases/tag/v5.4.0))
  - pin `peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2` (c.f. [v5.0.2](https://github.com/peter-evans/create-pull-request/releases/tag/v5.0.2))

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5 agilgur5 added type/security Security related type/dependencies PRs and issues specific to updating dependencies github_actions Pull requests that update Github_actions dependencies area/build Build or GithubAction/CI issues labels Feb 4, 2024
@agilgur5 agilgur5 mentioned this pull request Feb 4, 2024
Open
7 tasks
isubasinghe
isubasinghe approved these changes Feb 5, 2024
View reviewed changes
Copy link
Member

@isubasinghe isubasinghe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an excellent idea, something we should have had earlier

@agilgur5
Copy link
Member Author

agilgur5 commented Feb 5, 2024

Merged main for the E2E fix

@terrytangyuan terrytangyuan merged commit 6ba7401 into argoproj:main Feb 5, 2024
30 checks passed
@agilgur5 agilgur5 deleted the ci-pin-actions branch February 5, 2024 18:36
@agilgur5
Copy link
Member Author

This raised our OpenSSF Scorecard score by 6 points in the pinned deps check 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

@isubasinghe isubasinghe isubasinghe approved these changes

Assignees
No one assigned
Labels
area/build Build or GithubAction/CI issues github_actions Pull requests that update Github_actions dependencies type/dependencies PRs and issues specific to updating dependencies type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@agilgur5 @terrytangyuan @isubasinghe