Skip to content

Add optional lint to require that actions are pinned to commit hashes #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add optional lint to require that actions are pinned to commit hashes #436

wants to merge 3 commits into from
+48 −0

Conversation

mortenson
Copy link

This PR addresses the "Pin Actions to a full length commit SHA" part of #198 by optionally enforcing that actions are pinned to (full) commit hashes.

This can be enabled by setting require-commit-hash to true in actionlint.yaml.

I haven't contributed to this repo before, so please let me know if you'd like any changes!

mortenson
mortenson commented Jun 24, 2024
View reviewed changes
rule_action.go
@@ -284,6 +285,10 @@ var BrandingIcons = map[string]struct{}{
"zoom-out": {},
}

var hashRegex = regexp.MustCompile("^[0-9a-f]{40}$")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could use short hashes as well, but I was almost certain that would conflict with branch names so this seems better.

ChrisCarini
ChrisCarini approved these changes Jun 26, 2024
View reviewed changes
Copy link
Contributor

@ChrisCarini ChrisCarini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 🎉 👏

Looking forward to seeing this feature incorporated since it is a recommended 'security hardening' best-practice that GitHub states: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

@mortenson
Copy link
Author

@rhysd what do you think? Viable and/or any changes you'd suggest?

@Elfo404 Elfo404 mentioned this pull request Oct 15, 2024
Open
@rhysd rhysd force-pushed the main branch 2 times, most recently from 05e056b to 5aaa4ce Compare November 12, 2024 16:13
@czeslavo czeslavo mentioned this pull request Jan 9, 2025
Merged
1 task
@pmalek
Copy link

pmalek commented Jan 9, 2025

@mortenson any chance on moving this forward? That's a very nice addition that we'd like to use.

@mortenson
Copy link
Author

@pmalek I'm not a maintainer but I've just resolved merge conflicts if @rhysd has time to review 😺

@okize
Copy link

okize commented Mar 16, 2025

Given recent events it would be incredibly helpful to incorporate this rule into actionlint, is there anything the community could help with here to get it shipped?

@ChrisCarini
Copy link
Contributor

Given recent events it would be incredibly helpful to incorporate this rule into actionlint, is there anything the community could help with here to get it shipped?

@rhysd - thoughts here on this PR? What remains for you to feel comfortable merging it in and releasing?

sprt added a commit to kata-containers/kata-containers that referenced this pull request Mar 17, 2025
@sprt
gha: Pin third-party actions to commit hashes
a7ad1d1 
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] rhysd/actionlint#436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@sprt sprt mentioned this pull request Mar 17, 2025
Merged
sprt added a commit to kata-containers/kata-containers that referenced this pull request Mar 19, 2025
@sprt
gha: Pin third-party actions to commit hashes
a678046 
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] rhysd/actionlint#436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
@bryangingechen bryangingechen mentioned this pull request Mar 21, 2025
Closed
@Jonas-Beck
Copy link

Are there any updates on getting this merged?

This would be a really useful feature for us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChrisCarini ChrisCarini ChrisCarini approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mortenson @pmalek @okize @ChrisCarini @Jonas-Beck