Back when GitHub Actions first came out, I used commit hashes rather than tags in all my `uses:` lines. Some of my colleagues disagreed, saying that tags were secure enough. I eventually said, "Well, for well-known actions like actions/checkout, sure; if that one gets compromised it'll be all over the news within minutes." But for all the third-party actions, I kept commit hashes.<p>I feel rather vindicated now. There's still a small possibility of getting supply-chain attacked via a SHA collision, or a relatively much larger (though still small in absolute terms) possibility of getting supply-chain attacked via NPM dependencies of the action you're relying on.<p>But if you're not using a commit hash in your `uses:` lines, go switch to it now. And if you're just using major-version-only tags like `v5` then do it <i>RIGHT</i> now, <i>before</i> that action gets a compromised version uploaded with a `v5.2.3` tag.
GitHub Actions doesn't have a lock file, so your repo is still prone to transitive attacks if the SHA-locked actions you use also happen to use other composite actions by tags, which could be compromised in the future.
just noting that pinning within your own actions is not enough, you also need to ensure any composite actions do not use mutable references (for actions, docker images, etc.)
I feel pretty happy we use Renovator at my current workplace which by default will raise PRs to change any tags for actions with the SHA instead. Then, even when it bumps the version in future PRs, it bumps the SHA (with a comment of which tag version it represents)
There is no realistic risk of a SHA collision attack. Getting supply chain attacked via NPM dependencies is much more likely. Hopefully the actions creators are also pinning their hashes.
I apologize in advance for the plug. I've spent the last 5 years warning of the importance of not leaving CI locked in a black box platform and proprietary DSL. All the while going on a quest to reinvent CI as an open, programmable platform. Honestly it's still a work-in-progress: it turns out that reinvention is hard! But, if you want a glimpse of what CI can be when you shed 30 years of legacy, consider checking out Dagger (<a href="https://dagger.io" rel="nofollow">https://dagger.io</a>).<p>Or, if you just want to talk about the future of CI with like-minded systems engineers, without committing to using a particular product, consider joining our Discord: <a href="https://discord.com/invite/dagger-io" rel="nofollow">https://discord.com/invite/dagger-io</a>
Programming in YAML has always seemed crazy to me. Actions seem like a great place to create a simple mixed imperative/declarative scripting language (js extension or whatever) with a solid instrumented/observable/debuggable runtime and an OO API that can be run locally against mock infrastructure.
This should really what LLM ought to bring in terms of security. Be able to break things faster considering it is now easier for the maintainers to fix them.<p>This has downsides of course, moving further into the "everything rot so fast these days" trope, but we will in a adversarial world where the threat is constantly evolving.<p>Tomorrow (today) the servers and repo won't be scanned by scripts anymore but by increasingly capable models with knowledge about more security issues than many searchers.
<tangent><p>Github actions is running like treacle now. Even when our company pays lots of money for cloud and private Github runners.<p>I know its the go-to punchbag but I think enabling Copilot reviews globally for a large proportion of Github was a bit hasty.<p>The security problems aside, if it continues this way, people won't be able to ship and deploy code from Github actions.<p>We might dare I say it, have to go back to self hosted Jenkins or Travis CI.
I just have a Spot instance we use for our builds. It's turned on via serverless, runs it's job with a timeout and exits.<p>Lately i don't use any managed services and life couldn't be any simpler.
This aligns nicely with today's/current GitHub Actions outage