SLF4J / SLF4J-591 [Open] Reference GitHub Actions by SHA and Dependency Update tool
============================== Here's what changed in this issue in the last few minutes. This issue has been created This issue is now assigned to you. View or comment on issue using this link https://jira.qos.ch/browse/SLF4J-591 ============================== Issue created ------------------------------ Diogo Teles Sant Anna created this issue on 14/Jun/23 21:25 Summary: Reference GitHub Actions by SHA and Dependency Update tool Issue Type: Improvement Assignee: SLF4J developers list Created: 14/Jun/23 21:25 Priority: Minor Reporter: Diogo Teles Sant Anna Severity: enhancement Description: Hi! I'd like to know if you are interested in a PR to update your GitHub workflows to refer to external actions by their SHAs. This is the only way to guarantee that you're using an immutable version of the code, which might protect you from tags being moved to malicious or buggy commits. It's a recommendation from [GitHub itself|https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions] and from security tools like Scorecard. Although it's more reliable and secure, a clear downsize of this change is the difficulty of maintenance, and that is why at this same Jira ticket I'd like to ask if you have considered using an Dependency Update tool, such as [Dependabot|https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/] or [Renovatebot|https://www.mend.io/renovate/]. Those Dependency Update tools might be useful to help manage the Java dependencies of SLF4J, but also have an an extra security impact because they would always highlight security patches from dependencies, once their available. Additionally, they're specially handy because they automatically update the SHAs of the GitHub Actions, also making sure to leave the human-readable version as a comment =) . Let me know what you think of those ideas, I'll be happy to help achieve them. h4. Additional Context I'm Diogo and I work on Google's Open Source Security Team([GOSST|https://opensource.googleblog.com/2023/04/googles-open-source-security-upstream-team-one-year-later.html]) in cooperation with the Open Source Security Foundation ([OpenSSF|https://openssf.org/]). My core job is to suggest and implement security changes on widely used open source projects 😊 ============================== This message was sent by Atlassian Jira (v9.6.0#960000-sha1:a3ee8af) _______________________________________________ slf4j-dev mailing list slf4j-dev@qos.ch https://mailman.qos.ch/cgi-bin/mailman/listinfo/slf4j-dev
