Comment by Raed667
8 days ago
To get something of a lockfile you can use the hash of the version you want to pin your dependencies:
> actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
8 days ago
To get something of a lockfile you can use the hash of the version you want to pin your dependencies:
> actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
TFA mentions this option and then goes on at some length to explain that this doesn't help for transitive dependencies, which is how these attacks usually work.
Transitive dependencies?
Yeah, only works if all used Actions would use SHAs too, which is not the case.
Positive example: https://github.com/codecov/codecov-action/blob/96b38e9e60ee6... Negative example: https://github.com/armbian/build/blob/54808ecff253fb71615161...
I've also found many Actions that do other dodgy stuff, like pulling and executing unpinned scripts from external websites, or installing unpinned binaries from GitHub releases. Pinning an Action isn't enough, you have to audit it.