fix: harden GitHub Actions workflows#13178
fix: harden GitHub Actions workflows#13178dagecko wants to merge 1 commit intoEbookFoundation:mainEbookFoundation/free-programming-books:mainfrom dagecko:runner-guard/fix-ci-securitydagecko/free-programming-books:runner-guard/fix-ci-securityCopy head branch name to clipboard
Conversation
Thenlie
left a comment
There was a problem hiding this comment.
Definitely a good practice. Need to see how this works with Dependabot but I don't think that is a reason to block the PR.
|
'This Pull Request has been automatically marked as stale because it has not had recent activity during last 60 days 😴 It will be closed in 30 days if no further activity occurs. To unstale this PR, draft it, remove stale label, comment with a detailed explanation or push more commits. There can be many reasons why some specific PR has no activity. The most probable cause is lack of time, not lack of interest. Thank you for your patience ❤️' |
|
Oh no 😟! Conflicts have been found. Please 🙏, take a moment and address the merge conflicts of your pull request before we can evaluate it again. Thanks in advance for your effort and patience ❤️! |
Re-submission of #13155. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.
How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3, original version preserved as commentI've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.
If you have any questions, reach out. I'll be monitoring comms.
- Chris (dagecko)