Commit hash pinning in GitHub Actions: secure, but at a cost
3 days ago
- #DevOps
- #GitHub Actions
- #Security
- Commit hash/SHA pinning in GitHub Actions is a security best-practice but comes with trade-offs.
- Managing upgrades for numerous actions is cumbersome and prone to human error.
- Automating updates with Dependabot can reintroduce risks similar to using version tags.
- Dependabot Security Alerts don't work with commit hashes, potentially weakening security.
- Well-known maintainers (e.g., AWS) are more likely to have CVEs than account takeovers.
- GitHub is trialing immutable actions to address commit hash shortcomings.
- Alternative #1: Use version tags from reputable maintainers and avoid unknown authors.
- Alternative #2: Create internal wrapper actions to centralize and simplify hash updates.
- Commit hash pinning is often impractical; version tags from trusted sources may suffice.