Improve your GitHub Actions security
Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:
TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.
I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.
With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.
pin-github-action
pin-github-action is a command line tool that allows you to target any commit reference, be it a branch, tag or sha whilst pinning to a specific sha in your actions.
It works by looking for any uses step in your workflows and replacing it with a sha and a comment.
yaml
Becomes
yaml
This allows us to depend on a specific sha whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest sha for master (whether it’s a sha, tag or branch, in that order) and update the workflow to use that sha.
Using pin-github-action
The tool is written in Node, which means you’ll need to install it with npm.
bash
If you get a permissions error, you may need to run
sudo npm installinstead
Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.
bash
If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository
bash
Contributing
If you’re interested in reading the code or contributing the project, the source is available on GitHub