CI: add check of GitHub Action pinned hashes against tag#1885
Conversation
dolmen
added
dependencies
|
If it helps, this is the script that I use to validate tags: $ cat gh_fix_action_hash.sh
#!/usr/bin/env bash
#
# Descriptoin: Pin GitHub Actions to a specific tag.
set -u -o pipefail
if [[ $# -le 1 ]]; then
echo "usage: $(basename $0) <action> <file...>"
exit 1
fi
action="$1"
shift 1
repo="$(echo "${action}" | cut -f1-2 -d'/')"
get_latest_tag() {
local repo="$1"
gh api "repos/${repo}/releases" \
| jq -r '.[] | select(.prerelease == false) | .tag_name' \
| sort -V \
| tail -n 1
}
latest_tag="$(get_latest_tag "${repo}" 2> /dev/null)"
if [[ "${latest_tag}" == "null" ]] ; then
echo "ERROR: Unable to get latest release tag"
exit 1
fi
latest_hash="$(gh api "repos/${repo}/git/ref/tags/${latest_tag}" 2> /dev/null | jq -r '.object.sha')"
if [[ "${latest_hash}" == "null" ]] ; then
echo "ERROR: Unable to get latest SHA hash"
exit 1
fi
new_uses="uses: ${action}@${latest_hash} # ${latest_tag}"
echo "Updating: ${new_uses}"It uses the github CLI and jq for parsing. I'm pretty sure those are both available in the github actions standard runtime. |
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - run: ./.ci.ghactions.sh |
There was a problem hiding this comment.
Why not use zizmor?
zizmor is a static analysis tool for GitHub Actions. It can find and fix many common security issues in typical GitHub Actions CI/CD setups.
| - run: ./.ci.ghactions.sh | |
| - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 | |
| with: | |
| advanced-security: false | |
| annotations: true |
See the real world example at https://github.com/golangci/golangci-lint/blob/0fffb1b46b3adbf5fd8e76b8e59a77e3d2724cb9/.github/workflows/pr-checks.yml#L32
There was a problem hiding this comment.
@dolmen what are your thoughts here?
It's a good thing to rely on an external dependency that is community reviewed.
Here the code is not tested a future PR could introduce a small change that could break the feature of checking tags
zizmor is tested and maintained.
Also, we could use cooldown feature in dependabot also, trying to mitigate attacks
https://github.com/samber/cc-skills-golang/blob/main/skills%2Fgolang-modernize%2FSKILL.md
There was a problem hiding this comment.
There is a balance between adding external dependencies (which are supply chain risk) and what they bring.
At this point I prefer a simple shell script that anyone can audit (and run on its own dev environment) to trusting another external dependency as a Github Action. Even made by a security researcher who now works at OpenAI.
dolmen
force-pushed
the
dolmen/ci-check-ghactions-hashes
branch
from
baab396 to
b84497c
Compare
Add .ci.ghactions.sh script to validate hashes of GitHub Actions against the declared tag.
dolmen
force-pushed
the
dolmen/ci-check-ghactions-hashes
branch
from
b84497c to
a66fd44
Compare
|
@ccoVeille While modifying the script to add the license I noticed a few things to clean (such as shellcheck warnings) which I have fixed, so it seems that another full review is required. |
ccoVeille
left a comment
ccoVeille
left a comment
There was a problem hiding this comment.
Sounds good even the changes
Did you try launching shellcheck on it ?
4 participants
Summary
Add
.ci.ghactions.shscript to validate hashes of GitHub Actions against the declared tag.Changes
.ci.ghactions.shscript..ci.ghactions.shscript from new GH Actions jobcheck-actions-hashes.Motivation
Supply chain security.
Related issues
#1883
Cc: @SuperQ