Add optional lint to require that actions are pinned to commit hashes#436
Add optional lint to require that actions are pinned to commit hashes#436mortenson wants to merge 3 commits intorhysd:mainfrom
Conversation
| "zoom-out": {}, | ||
| } | ||
|
|
||
| var hashRegex = regexp.MustCompile("^[0-9a-f]{40}$") |
There was a problem hiding this comment.
You could use short hashes as well, but I was almost certain that would conflict with branch names so this seems better.
ChrisCarini
left a comment
ChrisCarini
left a comment
There was a problem hiding this comment.
Awesome! 🎉 👏
Looking forward to seeing this feature incorporated since it is a recommended 'security hardening' best-practice that GitHub states: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
|
@rhysd what do you think? Viable and/or any changes you'd suggest? |
rhysd
force-pushed
the
main
branch
2 times, most recently
from
05e056b to
5aaa4ce
Compare
|
@mortenson any chance on moving this forward? That's a very nice addition that we'd like to use. |
|
Given recent events it would be incredibly helpful to incorporate this rule into |
@rhysd - thoughts here on this PR? What remains for you to feel comfortable merging it in and releasing? |
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] rhysd/actionlint#436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] rhysd/actionlint#436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
|
Are there any updates on getting this merged? This would be a really useful feature for us. |
A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] rhysd/actionlint#436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
rhysd
force-pushed
the
main
branch
3 times, most recently
from
1327bf4 to
859504b
Compare
5 participants
This PR addresses the "Pin Actions to a full length commit SHA" part of #198 by optionally enforcing that actions are pinned to (full) commit hashes.
This can be enabled by setting
require-commit-hashtotrueinactionlint.yaml.I haven't contributed to this repo before, so please let me know if you'd like any changes!