Hash-pin all action references, address other zizmor findings#723
Hash-pin all action references, address other zizmor findings#723KodrAus merged 6 commits intorust-lang:masterfrom
Conversation
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
Signed-off-by: William Woodruff <william@yossarian.net>
|
Thanks for the PR @woodruffw! Pinning our dependencies is a good idea, and should be enough of an improvement here without introducing any new tooling 👍 The build failure is unrelated. It looks like we need to bump our MSRV. |
Thomasdezeeuw
left a comment
Thomasdezeeuw
left a comment
There was a problem hiding this comment.
I'm 👍 on the idea. Here are the (unique) commits we're using:
- actions/checkout@34e1148 (v4.3.1)
- dtolnay/rust-toolchain@ae07f54 (1.68.0)
- dtolnay/rust-toolchain@e97e2d8 (current master)
- taiki-e/install-action@0abfcd5 (current main)
I've checked them all they seem good 👍 (GitHub actually allows references to commits in forks via the main repo path, so even using a commit hash isn't a full security solution)
I've made two suggestions to update checkout to v6 and the rust toolchain to 1.68.2:
- actions/checkout@0c366fd (current main)
- dtolnay/rust-toolchain@757872f (1.68.2, my suggestion)
Signed-off-by: William Woodruff <william@yossarian.net>
|
Perhaps while we're here we should bump that version to |
Signed-off-by: William Woodruff <william@yossarian.net>
|
Done, bumped to 1.71 🙂 |
| with: | ||
| components: clippy | ||
| - uses: taiki-e/install-action@cargo-hack | ||
| toolchain: "1.71" |
There was a problem hiding this comment.
We'll just need to update the value in our Cargo.toml too to 1.71
Signed-off-by: William Woodruff <william@yossarian.net>
KodrAus
left a comment
KodrAus
left a comment
There was a problem hiding this comment.
Thanks for working through this @woodruffw!
3 participants
Hello! Apologies for the cold PR.
I'm opening this in my capacity as one of uv's maintainers; we have a set of downstreams (including
log!) that we depend on, and we'd like to ensure their CI/CD processes are as hermetic and secure as possible (within the limits of GitHub's platform).To that effect, this PR contains a few different commits that aim to make
log's CI more secure. None of these changes fix vulnerabilities; they're purely defense-in-depth changes that will make a future Trivy-style compromise less fruitful for an attacker.To summarize:
pinact run -v. You can use Dependabot to keep these up to date with minimal maintenance burden, although it isn't enabled at the moment. I'm happy to also send a follow-up PR enabling Dependabot.actions/checkout's default credential-persistence behavior withpersist-credentials: false.Most of the above was detected automatically with zizmor, which you can integrate into GitHub Actions if you'd like. I've left that out of this PR however, since not every project wants another thing running in CI. But let me know if you'd like it and I'd be happy to send a follow-up PR!
Last but not least, please let me know if there's any other information I can provide. All of the above was 100% human written and reviewed 🙂