diogoteles08 opened a new issue, #36898: URL: https://github.com/apache/arrow/issues/36898
### Describe the enhancement requested Hi! I'm Diogo and I'm back (seeĀ #35706) hoping to offer a bit more help with security enhancements. I noticed that some of your workflows (e.g. the [comment_bot.yml](https://github.com/apache/arrow/blob/main/.github/workflows/comment_bot.yml)) are using `pull_requests: write` permissions while running unpinned external dependencies -- both external github actions and pip packages. This can be dangerous because this permission allows the usage of GitHub API to [approve](https://docs.github.com/en/rest/pulls/reviews?apiVersion=2022-11-28#create-a-review-for-a-pull-request), [merge](https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#merge-a-pull-request) or [push to](https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#update-a-pull-request) an existing PR, which could be abused in case a dependency gets hijacked and changes the code your tags are pointing to, for example. If you wish to keep using the `pull_requests: write` permissions -- which I believe is the case --, a simple and effective way to eliminate that attack vector is to hash-pin the relevant dependencies, which ensures that the code you're calling won't be changed unless you directly change the hashes. Dependabot would still be able to suggest updates to the hash-pinned dependencies, also keeping comments next to the dependencies with their human-readable version. To illustrate the required changes to achieve that: For the GitHub Actions, the pinning would mean changing the calls like `- uses: r-lib/actions/pr-fetch@v2` to `- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v1.3.1`. For the pip dependencies (like [this one](https://github.com/apache/arrow/blob/main/.github/workflows/comment_bot.yml#L105)) it wouldn't be so easy, because we'd need a hash-pinned `requirements.txt` to install the dependencies using it (dependabot would also be able to update it). I'd totally understand if you prefer not to act on those as they are just a few, but I'd also be available to elaborate on the needed changes if you want. If you have interest, I'd be happy to discuss the changes and raise a PR implementing them. Cheers, ### Component(s) Continuous Integration -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
