Just before Christmas, Julien Renaux published a thought provoking article on the risks of using GitHub actions that you don’t own. You can read the whole thing, but Julien provides a summary for us at the top:
TL;DR: Using GitHub actions with branch names or tags is unsafe. Use commit hash instead.
I agree with Julien that using arbitary actions is a risk, but as always it’s a compromise between security and making life easy for ourselves. Specifying a commit hash each time we want to upgrade could become painful very quickly, especially if you’re using a large number of actions.
With that in mind, I thought about how we could solve the problem with automation and came up with the following solution.
pin-github-action is a command line tool that allows you to target any commit reference, be it a
sha whilst pinning to a specific
sha in your actions.
It works by looking for any
uses step in your workflows and replacing it with a
sha and a comment.
actions/checkout@db41740e12847bb616a339b75eb9414e711417df # pin@master
This allows us to depend on a specific
sha whilst still knowing what the original pinned version was. If we run the tool again, it will look up the latest
master (whether it’s a
branch, in that order) and update the workflow to use that
If you're interested in learning more about Actions, check out Building Github Actions to learn how to build your own custom actions in any language
The tool is written in Node, which means you’ll need to install it with
npm install -g pin-github-action
If you get a permissions error, you may need to run
sudo npm installinstead
Once it’s installed, you provide the tool with a workflow file and it takes care of the rest.
If you’re using any private actions, you’ll need to provide the tool with a GitHub access token that can read the relevant repository
GH_ADMIN_TOKEN=<your-token-here> pin-github-action /path/to/.github/workflows/your-name.yml
If you’re interested in reading the code or contributing the project, the source is available on GitHub