Improve your Github Actions security

Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:

TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.

I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.

With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.

pin-github-action

pin-github-action is a command line tool that allows you to target any commit reference, be it a branch, tag or sha whilst pinning to a specific sha in your actions.

It works by looking for any uses step in your workflows and replacing it with a sha and a comment.

actions/[email protected]

Becomes

actions/[email protected] # [email protected]

This allows us to depend on a specific sha whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest sha for master (whether it’s a sha, tag or branch, in that order) and update the workflow to use that sha.

If you’re interested in learning more about Actions, check out Building Github Actions to learn how to build your own custom actions in any language

Using pin-github-action

The tool is written in Node, which means you’ll need to install it with npm.

npm install -g pin-github-action

If you get a permissions error, you may need to run sudo npm install instead

Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.

pin-github-action /path/to/.github/workflows/your-name.yml

If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository

GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml

Contributing

If you’re interested in reading the code or contributing the project, the source is available on GitHub

Thoughts on this post

Julien Renaux 2020-01-14

This is awesome!
Thanks for sharing Micheal 👏

Leave a comment?