Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:
TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.
I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.
With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.
pin-github-action is a command line tool that allows you to target any commit reference, be it a
sha whilst pinning to a specific
sha in your actions.
It works by looking for any
uses step in your workflows and replacing it with a
sha and a comment.
uses: actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@master
This allows us to depend on a specific
sha whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest
master (whether it’s a
branch, in that order) and update the workflow to use that
The tool is written in Node, which means you’ll need to install it with
npm install -g pin-github-action
If you get a permissions error, you may need to run
sudo npm installinstead
Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.
If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository
GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml
If you’re interested in reading the code or contributing the project, the source is available on GitHub