SHA pinning won't necessarily help if the dependency you are pinning doesn't pin its own dependencies! You still get stuff pulled via vulnerable tags etc. How long till we get this https://github.com/github/roadmap/issues/592 ...
Yes, this is a crucial distinction to make. The fact of the matter is that you have to treat GitHub Actions like a compromised system. Sure, there's not a ton of steps you can take for protecting builds if it's your primary builder, but you can for example not hook up an AWS account with full admin privileges to it (which I've seen more times than I would have like to).
I set up this recently at a new company and did yarn + ncc to build a compiled js out of typescript. It was a bit hairy as a novice, but ended up working fine.
That protects from npm supply chain stuff, but obviously third-party includes like docker/build-push-action are still a risk.
sepositus|11 months ago
bracketfocus|11 months ago
They are actually releasing this very soon. I’ve seen some of my workflows use an immutable OCI image for some of GH’s actions like actions/checkout.
sureIy|11 months ago
mikepurvis|11 months ago
That protects from npm supply chain stuff, but obviously third-party includes like docker/build-push-action are still a risk.
thenaturalist|11 months ago
The fact they've been stalling this for a good 2.5 years is... insane??
daveisfera|11 months ago