[jira] [Updated] (BEAM-11035) Pin versions of "untrusted" 3rd-party GitHub Actions

Tyson Hamilton (Jira) Wed, 28 Oct 2020 13:47:19 -0700


     [ 
https://issues.apache.org/jira/browse/BEAM-11035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Tyson Hamilton updated BEAM-11035:
----------------------------------
    Status: Resolved  (was: Open)

> Pin versions of "untrusted" 3rd-party GitHub Actions
> ----------------------------------------------------
>
>                 Key: BEAM-11035
>                 URL: https://issues.apache.org/jira/browse/BEAM-11035
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system, testing
>            Reporter: Tobiasz Kedzierski
>            Assignee: Tobiasz Kedzierski
>            Priority: P1
>              Labels: security
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> [https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions]
> quote:
> Pinning an action to a full length commit SHA is currently the only way to 
> use an action as an immutable release. Pinning to a particular SHA helps 
> mitigate the risk of a bad actor adding a backdoor to the action's 
> repository, as they would need to generate a SHA-1 collision for a valid Git 
> object payload.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (BEAM-11035) Pin versions of "untrusted" 3rd-party GitHub Actions

Reply via email to