Pin GitHub Actions to digests #220
Description
Hey there 👋
I work on an open source security project (Frizbee) that can automatically pin GitHub Actions to digests (instead of floating tags).
The Frizbee team is trying to spread the word to open source maintainers about the need for this, because pinning your actions to commit hashes is the only way to get an immutable pointer to a specific revision. If an action's source code repo is compromised by a malicious actor, you'll still be referencing a known-good version and your project won't be at risk.
If you want to implement actions pinning, here's how you can easily do this with Frizbee (to avoid having to manually look up the digest for each tag or branch):
- Install the Frizbee CLI by following these instructions
- Use the frizbee actions command to parse all of your Actions workflows and replace the needed tags with the commit checksum
- Done!
Note: Dependabot supports updating pinned actions and will continue to update them. For convenience, Frizbee appends a comment with the version of this action.
If it's easier for you, I can go ahead and create a PR for the above steps. I wanted to make sure this was something you'd want to move forward with first before doing that.