ci: harden reusable GitHub Actions#12
Conversation
|
One thing we need to be uber careful of, is allowing PRs which change the pinned SHA of a GitHub Action without it being actually confirmed as belonging to the repo we think we're fetching it from. GitHub will allow SHAs from any fork to resolve under the "real" |
| steps: | ||
| - name: Rust cache | ||
| uses: Swatinem/rust-cache@v2 | ||
| uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 |
There was a problem hiding this comment.
I would like if we would make it practice to have a comment above these with a hyperlink to the referenced commit - to make review easier should the SHA change in a PR.
Yep, 💯 you're talking about impostor commits, that's where the included zizmor linter and action included in this PR come in: https://docs.zizmor.sh/audits/#impostor-commit. (the current setting sets online-audits to true, which turns impostor-commit detection on) |
bobbinth
left a comment
bobbinth
left a comment
There was a problem hiding this comment.
A very superficial review from me - but looks good! Thank you!
3 participants
This tightens the shared GitHub Actions without changing their public inputs or expected behavior.
It pins third-party actions to full commit SHAs, gives each workflow permissions: {} by default, adds job-level token scopes, disables checkout credential persistence, and moves user-controlled values out of shell code paths so they are read as quoted environment variables instead.
It also adds a pinned zizmor-action workflow. The new check gates high-severity findings only, because the remaining medium findings ask for deployment environments around secrets. Adding those here would change caller approval and secret behavior.
The Debian action change that looks odd is the removal of type: choice and options from the composite action inputs. GitHub composite actions do not support those keys; actionlint treats them as invalid metadata. The real arch allow-list is still enforced by the publishing job matrix: arch: [amd64, arm64]. So the behavior stays the same, but the action metadata becomes valid.