Skip to content

ci: pin third-party actions to full commit SHAs#3026

Open
kobihikri wants to merge 1 commit into
standardnotes:mainfrom
kobihikri:harden/pin-thirdparty-actions
Open

ci: pin third-party actions to full commit SHAs#3026
kobihikri wants to merge 1 commit into
standardnotes:mainfrom
kobihikri:harden/pin-thirdparty-actions

Conversation

@kobihikri

Copy link
Copy Markdown

What

Pin three third-party actions currently on @master/@main to their commit SHA:

Action Where Credentials
chetan/invalidate-cloudfront-action@master web.release.prod.yml (deploy) production AWS access key + secret
convictional/trigger-workflow-and-wait@master snjs.pr.yml (e2e-base, e2e-vaults) CI_PAT_TOKEN (PAT)
johnnyhuy/actions-discord-git-webhook@main web.release.prod.yml (notify) DISCORD_WEBHOOK_URL

Why

@master/@main are moving refs. The invalidate-cloudfront-action step is handed the production AWS
access key + secret
; a moved tag there (compromise or an accidental change) would run unreviewed code
with those keys — the class behind the 2025 tj-actions/changed-files incident, here allowing S3/CloudFront
takeover. Pinning to a SHA removes that.

Scope / safety

Behaviour unchanged (each SHA is the current tip). Signed-off. Per GitHub's pin-to-SHA guidance.

AI-assisted; I verified the workflows, the credential exposure, and the pinned SHAs myself.

Pin third-party actions on mutable @master/@main tags in credentialed jobs:
- chetan/invalidate-cloudfront-action (web.release.prod.yml) — handed production AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
- convictional/trigger-workflow-and-wait (snjs.pr.yml, e2e jobs) — handed CI_PAT_TOKEN
- johnnyhuy/actions-discord-git-webhook (web.release.prod.yml) — handed DISCORD_WEBHOOK_URL

A moved tag would run unreviewed code with those credentials. Behaviour
unchanged; per GitHub's pin-to-SHA guidance.

Signed-off-by: Kobi Hikri <kobi.hikri@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant