Update GitHub Actions to pinned SHA versions#571
Conversation
The workflow files use unpinned action versions (e.g., `@v2`, `@v1`), which can introduce breaking changes or security vulnerabilities when action maintainers publish new releases under the same tag. This change updates all GitHub Actions to use pinned SHA versions with version comments for readability: - `actions/checkout@v2` → `@8e8c483` (v6.0.1) - `erlef/setup-beam@v1` → `@e6d7c94` (v1.20.4) - `actions/upload-artifact@v4` → `@b7c566a` (v6.0.0) - `ncipollo/release-action@v1.13.0` → `@b7eabc9` (v1.20.0) - `peter-evans/repository-dispatch@v2` → `@2895959` (v4.0.1) Additionally, this adds a new workflow and script to detect outdated actions automatically. The `check-actions-updates.sh` script uses `actions-up` to identify available updates and fails the workflow when updates are found, ensuring the team is notified to keep actions current.
|
Thanks @lukebakken - how would we ever know if any dep is poison before we update and run it? |
Are you concerned about the SHAs? The I could add a "double-check" to verify that the referenced SHA actually does point to a tag in the linked repo... which is, again, what |
Just wonder how I (a mere mortal) can ensure that the updated versions are ok to use (from a security POV). |
How does anyone do it now? 🤷♂️ |
not a scoobie :) |
the-mikedavis
left a comment
There was a problem hiding this comment.
I think dependabot might be able to create update PRs for this? I'm not totally sure what dependabot will do with actions tied to revisions but this old issue makes me think it might work: dependabot-core#4691
|
Yeah I put together this process to avoid setting up any bots 😸 |
|
This is a very unorthodox way to managing action dependencies. In particular with automation for upgrades. Well, maybe this is better than everyone using (and syncing once a year or so) their own forks of every popular action repository. |
|
@lukebakken on reflection can we not have this run for every PR build but rather as a separate daily job? |
Follow-up to rabbitmq#571 It turns out dependabot can update GHA ([docs](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot))
Follow-up to rabbitmq#571 It turns out dependabot can update GHA ([docs](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot))
Follow-up to rabbitmq#571 It turns out dependabot can update GHA ([docs](https://docs.github.com/en/code-security/how-tos/secure-your-supply-chain/secure-your-dependencies/keeping-your-actions-up-to-date-with-dependabot))
The workflow files use unpinned action versions (e.g.,
@v2,@v1), which can introduce breaking changes or security vulnerabilities when action maintainers publish new releases under the same tag.This change updates all GitHub Actions to use pinned SHA versions with version comments for readability:
actions/checkout@v2→@8e8c483(v6.0.1)erlef/setup-beam@v1→@e6d7c94(v1.20.4)actions/upload-artifact@v4→@b7c566a(v6.0.0)ncipollo/release-action@v1.13.0→@b7eabc9(v1.20.0)peter-evans/repository-dispatch@v2→@2895959(v4.0.1)Additionally, this adds a new workflow and script to detect outdated actions automatically. The
check-actions-updates.shscript usesactions-upto identify available updates and fails the workflow when updates are found, ensuring the team is notified to keep actions current.