Support "lock file" equivalent for GitHub actions

[yurishkuro]

Describe the enhancement

Using pinned dependencies for repeatable builds is a common practice. Many dependency managers implement it by allowing engineers to edit a dependencies file using semver versions, and resolving those to a specific hash that is stored in a "lock file". However, GH Actions do not provide that distinction.

From https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

For GitHub workflows, pin dependencies by hash. See main.yaml for example. To determine the permissions needed for your workflows, you may use StepSecurity's online tool by ticking the "Pin actions to a full length commit SHA".

This ^ type of recommendation ensures repeatable build but creates a maintenance burden. I am not even sure if dependabot will be able to upgrade GH workflows that pin actions to specific commits.

Is it possible to support an equivalent of the "lock file" for GH workflows?

[StevenMaude]

I am not even sure if dependabot will be able to upgrade GH workflows that pin actions to specific commits.

@yurishkuro: If your question is: "can Dependabot upgrade versions of commit hash-pinned actions to the latest tagged version, and still retain a hash after upgrading?", then that should work, I think, as per dependabot/dependabot-core#2492

I've certainly had it work on my own repositories; example.

That doesn't address the lock file suggestion here, but does at least mean you can still use Dependabot for this.

(I just happened to be browsing this repository's issues, read this issue, and saw that you had the question in the linked issue; hope it helps! 😃)

[github-actions]

This issue is stale because it has been open 365 days with no activity. Remove stale label or comment or this will be closed in 15 days.

[github-actions]

This issue was closed because it has been stalled for 15 days with no activity.

[arianvp]

Could this be reopened? The current security model of Github Actions is sorely lacking in the face of supply-chain attacks.

The problem is that pinning a Github Action by commit doesn't bring you anything in the presence of Composite Actions.

arianvp/checkout-action@aea9382 could depend on randomdude/very-suspicious-action@main and eventhough I check out aea9382 every time; I will get a different copy of randomdude/very-suspicious-action. There currently is no way to avoid this.

The action that you pin might in turn pull in arbitrary amount of unpinned actions. We want to pin actions transitively but this is not supported. For this we require a lock file urgently.

[arianvp]

This attack is explained in detail here:

https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/

Problematic issues:

• Docker containers aren't pinned
• Composite actions aren't pinned
• Reusable workflows aren't pinned

According to Palo-Alto 67% of all github repositories that use pinning are still vulnerable to this supply chain attacks due to this deficiency

[MarkusSintonen]

x-post

It is terrible that Github actions do not support "lock file" mechanism for locking the chain of action dependencies. Any decent dependency managers support "lock file" mechanisms which eg avoids pulling new versions of dependencies which may contain malicious code (1 2 3). Github actions usually refer to other actions via version tags. This is fundamentally broken as git tags are mutable. Neither does the SHA pinnig really work because you have no guarantees that the dependency you are using is also using SHA pinning in its own dependencies! This means that using any external action opens a door to attacks. You have absolutely no guarantees that you are not pulling some newly introduced malicious code into your systems.

You are probably aware of the recent huge issue where every single version tag was changed to contain malware in the widely used tj-actions/changed-files. (ref1 / ref2) Neither does SHA pinning this action in your own dependencies work because it is most probably used already as a non pinned transient dependency (1)!

You really need to reconsider reopenning the issue.

Github really needs to step up with their security game on ensuring such supply chain attacks are no longer possible!

[agriyakhetarpal]

FYI, immutable actions are on GitHub's roadmap, which should satisfy this use case well: github/roadmap#592

[MarkusSintonen]

FYI, immutable actions are on GitHub's roadmap, which should satisfy this use case well: github/roadmap#592

I know and it has been on the roadmap since 2022. :/ I truly hope Github finally opens their eyes on how fundamentally broken the actions dependency handling is.