Skip to content

Pin GitHub Actions to commit hashes for security#537

Open
majamassarini wants to merge 1 commit into
packit:mainfrom
majamassarini:pin-actions
Open

Pin GitHub Actions to commit hashes for security#537
majamassarini wants to merge 1 commit into
packit:mainfrom
majamassarini:pin-actions

Conversation

@majamassarini
Copy link
Copy Markdown
Member

@majamassarini majamassarini commented May 20, 2026
edited
Loading

Pin github actions to specific commit SHAs to prevent supply chain attacks and ensure reproducible builds.

Assisted-By: Claude Sonnet 4.5

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented May 20, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@centosinfra-prod-github-app
Copy link
Copy Markdown
Contributor

centosinfra-prod-github-app Bot commented May 20, 2026

Build succeeded.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/packit-service/buildset/abb3df470054411989c47425cefd5d1e

✔️ pre-commit SUCCESS in 2m 04s
✔️ specfile-tests-rpm-deps SUCCESS in 1m 44s
✔️ specfile-tests-pip-deps SUCCESS in 1m 46s

@nforro
Copy link
Copy Markdown
Member

nforro commented May 20, 2026

Pin all non-packit actions in artifact-handling workflows to specific commit SHAs to prevent supply chain attacks and ensure reproducible builds.

Why exclude Packit actions?

@majamassarini
Copy link
Copy Markdown
Member Author

majamassarini commented May 20, 2026

Pin all non-packit actions in artifact-handling workflows to specific commit SHAs to prevent supply chain attacks and ensure reproducible builds.

Why exclude Packit actions?

because I think we trust our team/process more the external ones and I suppose the risk is therefore lower with our own actions. But if you think it is better to pin down all of them, then I will do it.

@nforro
Copy link
Copy Markdown
Member

nforro commented May 20, 2026

because I think we trust our team/process more the external ones and I suppose the risk is therefore lower with our own actions

I don't think this is about trust, do you think it's less likely for an attacker to get access to one of our repos and "retarget" a tag than to any third-party repo?

@majamassarini
Copy link
Copy Markdown
Member Author

majamassarini commented May 20, 2026

because I think we trust our team/process more the external ones and I suppose the risk is therefore lower with our own actions

I don't think this is about trust, do you think it's less likely for an attacker to get access to one of our repos and "retarget" a tag than to any third-party repo?

Not less likely than for a GitHub repo, but for other third-party repos yes, I consider it less likely. However, I see your point, and I will change our actions too.

@majamassarini
Pin GitHub Actions to commit hashes for security
918ef04 
Pin all actions to specific commit SHAs to
prevent supply chain attacks and ensure reproducible builds.

Assisted-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@centosinfra-prod-github-app
Copy link
Copy Markdown
Contributor

centosinfra-prod-github-app Bot commented May 20, 2026

Build succeeded.
https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/packit-service/buildset/5a06a80093bf4350820dcb3d85dc602b

✔️ pre-commit SUCCESS in 2m 07s
✔️ specfile-tests-rpm-deps SUCCESS in 1m 42s
✔️ specfile-tests-pip-deps SUCCESS in 1m 42s

@majamassarini majamassarini added the mergeit Merge via Zuul label May 20, 2026
LecrisUT
LecrisUT reviewed May 20, 2026
View reviewed changes
Comment thread .github/workflows/check-release-notes.yml
check_release_notes:
name: Notes are either written, or there are none
uses: packit/.github/.github/workflows/check-release-notes.yml@main
uses: packit/.github/.github/workflows/check-release-notes.yml@2837c96caf71966609451ad0323552ef4be11a23 # main
Copy link
Copy Markdown

@LecrisUT LecrisUT May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has quite a trade-off of needing to babysit the these updates based on commit bumps to main. May not be that big of an issue if everyone remembers to bump when the relevant files in packit/packit change.

Comment thread .github/workflows/do-release.yml
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
Copy link
Copy Markdown

@LecrisUT LecrisUT May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that a per-requisite for these is to change the tag from vX to vX.Y.Z, otherwise tools like dependabot and renovate would not work properly (yes it would just freeze to the commit you gave, but also not give you any updates either). Although, these have not been updated since v3 so far anyway 😅.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nforro nforro nforro approved these changes

+1 more reviewer

@LecrisUT LecrisUT LecrisUT left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

mergeit Merge via Zuul

Projects

Packit pull requests
Status: New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@majamassarini @nforro @LecrisUT @usercont-release-bot