You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey there 👋
I work on an open source security project (Frizbee) that can automatically pin GitHub Actions to digests (instead of floating tags).
The Frizbee team is trying to spread the word to open source maintainers about the need for this, because pinning your actions to commit hashes is the only way to get an immutable pointer to a specific revision. If an action's source code repo is compromised by a malicious actor, you'll still be referencing a known-good version and your project won't be at risk.
If you want to implement actions pinning, here's how you can easily do this with Frizbee (to avoid having to manually look up the digest for each tag or branch):
Use the frizbee actions command to parse all of your Actions workflows and replace the needed tags with the commit checksum
Done!
Note: Dependabot supports updating pinned actions and will continue to update them. For convenience, Frizbee appends a comment with the version of this action.
If it's easier for you, I can go ahead and create a PR for the above steps. I wanted to make sure this was something you'd want to move forward with first before doing that.
The text was updated successfully, but these errors were encountered:
Hey there 👋
I work on an open source security project (Frizbee) that can automatically pin GitHub Actions to digests (instead of floating tags).
The Frizbee team is trying to spread the word to open source maintainers about the need for this, because pinning your actions to commit hashes is the only way to get an immutable pointer to a specific revision. If an action's source code repo is compromised by a malicious actor, you'll still be referencing a known-good version and your project won't be at risk.
If you want to implement actions pinning, here's how you can easily do this with Frizbee (to avoid having to manually look up the digest for each tag or branch):
Note: Dependabot supports updating pinned actions and will continue to update them. For convenience, Frizbee appends a comment with the version of this action.
If it's easier for you, I can go ahead and create a PR for the above steps. I wanted to make sure this was something you'd want to move forward with first before doing that.
The text was updated successfully, but these errors were encountered: