larouxn left a comment (openstreetmap/openstreetmap-website#6332)
To be clear, SHA pinning GitHub Actions dependencies is considered a best
practice because someone could:
1. Release a bugged/infected/malicious version which without pinning runs would
automatically use. Example: `actions/upload-artifact` is locked to v4 now so
while the latest is v4.6.2, someone could release a v4.6.3, v4.7.0, v4.x.x and
runs would automatically use that next time they run. A vulnerability.
2. More concerning to me, an existing tagged release could be moved to a new
commit. Example: `actions/upload-artifact`'s latest release is v4.6.2 which our
runs use automatically re: v4 specified version. Someone could in fact pull
down the pushed v4.6.2 tag and re-tag a different commit with v4.6.2 and push
that up and the next runs would automatically use that instead. A vulnerability.
:information_source: I'll admit that given this repo is only using official
GitHub, Ruby, and Coveralls GitHub Actions dependencies the risk of the above
happening is rather low compared to if we were using an action from an
arbitrary GitHub account but the risk still exists.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3198969289
You are receiving this because you are subscribed to this thread.
Message ID:
<openstreetmap/openstreetmap-website/pull/6332/c3198969...@github.com>
_______________________________________________
rails-dev mailing list
rails-dev@openstreetmap.org
https://lists.openstreetmap.org/listinfo/rails-dev
