Improve your GitHub Actions security
Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:
TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.
I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.
With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.
pin-github-action
pin-github-action
is a command line tool that allows you to target any commit reference, be it a branch
, tag
or sha
whilst pinning to a specific sha
in your actions.
It works by looking for any uses
step in your workflows and replacing it with a sha
and a comment.
yaml
uses: actions/checkout@master
Becomes
yaml
uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@master
This allows us to depend on a specific sha
whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest sha
for master
(whether it’s a sha
, tag
or branch
, in that order) and update the workflow to use that sha
.
Using pin-github-action
The tool is written in Node, which means you’ll need to install it with npm
.
bash
npm install -g pin-github-action
If you get a permissions error, you may need to run
sudo npm install
instead
Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.
bash
pin-github-action /path/to/.github/workflows/your-name.yml
If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository
bash
GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml
Contributing
If you’re interested in reading the code or contributing the project, the source is available on GitHub