Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:
TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.
I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.
With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.
pin-github-action
pin-github-action is a command line tool that allows you to target any commit reference, be it a branch, tag or sha whilst pinning to a specific sha in your actions.
It works by looking for any uses step in your workflows and replacing it with a sha and a comment.
actions/checkout@master
Becomes
actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@master
This allows us to depend on a specific sha whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest sha for master (whether it’s a sha, tag or branch, in that order) and update the workflow to use that sha.
If you're interested in learning more about Actions, check out Building Github Actions to learn how to build your own custom actions in any language
Using pin-github-action
The tool is written in Node, which means you’ll need to install it with npm.
npm install -g pin-github-action
If you get a permissions error, you may need to run
sudo npm installinstead
Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.
pin-github-action /path/to/.github/workflows/your-name.yml
If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository
GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml
Contributing
If you’re interested in reading the code or contributing the project, the source is available on GitHub
Top comments (1)
Nice idea and implementation.