-
-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support: execution from hashref disabled/broken vs GitHub Actions Security Best Practice? #712
Comments
I have left a comment on an issue somewhere in the past, but I couldn't find it, so I'll restate it here. Our project builds and provides build assets only when creating a release. This is to prevent the user from executing this action with a specific branch (like main). For example, if we maintain build assets in the main branch and users use this action as follows, a major release including breaking changes will break the CI workflow of the users silently. - name: Deploy
uses: peaceiris/actions-gh-pages@main # Bad example!
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./public In this project, a major tag (e.g. v3) is guaranteed to contain no breaking changes. But, we recommend using a tag or a commit hash for the stability of your workflows. - name: Deploy
uses: peaceiris/actions-gh-pages@v3.8.0 # tag: Better (Dependabot uses this type)
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./public - name: Deploy
uses: peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305 # commit hash of v3.8.0: Best!
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./public
See the next script. Lines 52 to 61 in c921422
|
@peaceiris thanks for the reply, I also figured out after posting this that instead of taking the SHA of the latest trunk branch, I could use the SHA of a release instead to achieve the same effect while still using a SHA instead of a tag, as per GitHub Actions Security Best Practice. Thanks for the reply here, closing. |
Checklist
Describe your question
Why is execution from the main branch latest hashref disabled/broken when this is the GitHub Actions Security Best Practice to pin 3rd party github actions to an immutable hashref?
I've already seen issues #84 and #98 but there wasn't any reason given in those tickets other than using v2 / v3 tags, but this contradicts GitHub's own security recommendations to not use tags for 3rd parties, see this doc section:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Is it intentional to break execution from main branch hashref or is this a mistake, and if intentional, why?
Update: I had assumed that the latest main hashref would contain the fixes in v3, but for now I'll try using
peaceiris/actions-gh-pages@068dc23d9710f1ba62e86896f84735d869951305
which is the v3 tag's current hashref for immutability.Relevant links
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Relevant log output
No response
Additional context.
No response
The text was updated successfully, but these errors were encountered: