Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions configuration by replacing mutable uses: ...@vX references with immutable commit SHAs, reducing CI/CD supply-chain risk.
Changes:
- Pinned
OSDKDev/lock-issuesto a specific commit SHA inlock.yml. - Pinned the SLSA reusable workflow reference to a specific commit SHA in
generator-generic-ossf-slsa3-publish.yml.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/lock.yml |
Pins the third-party issue-locking action to an immutable SHA. |
.github/workflows/generator-generic-ossf-slsa3-publish.yml |
Pins the referenced SLSA reusable workflow to an immutable SHA. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
| id-token: write # To sign the provenance. | ||
| contents: write # To add assets to a release. | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@68bad40844440577b33778c9f29077a3388838e9 # v1.4.0 | ||
| with: |
There was a problem hiding this comment.
PR description says it "pins all GitHub Actions to immutable commit SHAs", but there are still workflows using mutable version tags (e.g., .github/workflows/stale.yml uses actions/stale@v10, and this workflow still uses actions/checkout@v6). Either pin the remaining uses: entries to SHAs as well, or update the PR description/scope so it accurately reflects what’s changed.
| @@ -8,6 +8,6 @@ jobs: | |||
| lock: | |||
| runs-on: ubuntu-latest | |||
There was a problem hiding this comment.
This workflow doesn’t set an explicit permissions: block for the GITHUB_TOKEN, so it will inherit the repository default (often broader than needed). Other workflows in this repo define least-privilege permissions; consider adding permissions: issues: write (and nothing else) to the lock job to reduce token scope.
| runs-on: ubuntu-latest | |
| runs-on: ubuntu-latest | |
| permissions: | |
| issues: write |
Re-submission of #947. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.
How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3, original version preserved as commentI've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.
If you have any questions, reach out. I'll be monitoring comms.
- Chris (dagecko)