chore: Use commit SHAs in workflows (#1767)

Co-authored-by: Vincent Smedinga <v.smedinga@amsterdam.nl>
Amsterdam · Dec 3, 2024 · ff1b1a8 · ff1b1a8
1 parent 28c36dc
commit ff1b1a8
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 25 deletions.
diff --git a/.github/workflows/feature-branch-cleanup.yml b/.github/workflows/feature-branch-cleanup.yml
@@ -20,14 +20,14 @@ jobs:
           echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
 
       - name: Check out branch to access .nvmrc
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version-file: .nvmrc
 
       - name: Check out gh-pages branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: gh-pages
 
@@ -41,7 +41,7 @@ jobs:
           git push
 
       - name: Deactivate deployment
-        uses: bobheadxi/deployments@v1
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         if: always()
         with:
           step: deactivate-env

diff --git a/.github/workflows/feature-branch-deploy.yml b/.github/workflows/feature-branch-deploy.yml
@@ -21,20 +21,20 @@ jobs:
           echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
 
       - name: Check out
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create deployment
-        uses: bobheadxi/deployments@v1
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         id: deployment
         with:
           step: start
           token: ${{ secrets.GITHUB_TOKEN }}
           env: demo-${{ env.BRANCH_NAME }}
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           cache: pnpm
           node-version-file: .nvmrc
@@ -52,22 +52,22 @@ jobs:
           touch ./storybook/dist/${{ github.sha }}.txt
 
       - name: Pushing to pages branch
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@62fec3add6773ec5dbbf18d2ee4260911aa35cf4 # v4.6.9
         with:
           branch: gh-pages
           folder: storybook/dist
           target-folder: demo-${{ env.BRANCH_NAME }}
 
       - name: Wait for GitHub Pages to be deployed
-        uses: mydea/action-wait-for-api@v2
+        uses: mydea/action-wait-for-api@45d9c58e690337a05eb5ae14a1478f29eacbf9db # v2.0.0
         with:
           url: https://${{ github.repository_owner }}.github.io/${{ github.event.repository.name }}/demo-${{ env.BRANCH_NAME }}/${{ github.sha }}.txt
           expected-status: 200
           timeout: 600
           interval: 15
 
       - name: Update deployment status
-        uses: bobheadxi/deployments@v1
+        uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1.5.0
         if: always()
         with:
           step: finish

diff --git a/.github/workflows/lint-test.yml b/.github/workflows/lint-test.yml
@@ -11,13 +11,13 @@ jobs:
 
     steps:
       - name: Check out branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
 
       - name: Set up Node.js version
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           cache: pnpm
           node-version-file: .nvmrc
@@ -31,13 +31,13 @@ jobs:
 
     steps:
       - name: Check out branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
 
       - name: Set up Node.js version
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           cache: pnpm
           node-version-file: .nvmrc
@@ -58,7 +58,7 @@ jobs:
           pnpm run --if-present test
 
       - name: "Retain build artifact: Storybook"
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: storybook
           path: storybook/dist/

diff --git a/.github/workflows/pr-title-validation.yml b/.github/workflows/pr-title-validation.yml
@@ -17,7 +17,7 @@ jobs:
     name: PR title validation
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -13,15 +13,15 @@ jobs:
 
     steps:
       - name: Create release
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
         id: release
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           target-branch: main
 
       # The logic below handles the npm publication:
       - name: Check out branch
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # This is necessary because on.workflow_run always runs on the
           # default branch, which is 'develop' in our case
@@ -31,11 +31,11 @@ jobs:
         if: ${{ steps.release.outputs.releases_created == 'true' }}
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
         if: ${{ steps.release.outputs.releases_created == 'true' }}
 
       - name: Set up Node.js version
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           cache: pnpm
           node-version-file: .nvmrc
@@ -58,15 +58,15 @@ jobs:
 
       # The logic below handles the Storybook deploy:
       - name: "Restore build artifact: Storybook"
-        uses: dawidd6/action-download-artifact@v6
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
         with:
           workflow: "lint-test.yml"
           name: storybook
           path: dist/storybook
         if: ${{ steps.release.outputs.releases_created == 'true' }}
 
       - name: Deploy to GitHub Pages
-        uses: JamesIves/github-pages-deploy-action@v4
+        uses: JamesIves/github-pages-deploy-action@62fec3add6773ec5dbbf18d2ee4260911aa35cf4 # v4.6.9
         with:
           branch: gh-pages
           folder: dist/storybook

diff --git a/documentation/continuous-integration.md b/documentation/continuous-integration.md
@@ -0,0 +1,37 @@
+<!-- @license CC0-1.0 -->
+
+# Continuous integration
+
+## Commit hashes for GitHub Actions
+
+We use a commit hash instead of a version number to specify which release of a GitHub Action we use in our workflows.
+
+Version numbers are based on Git tags, which are mutable.
+This is a security risk.
+
+For instance, if Action X is tagged as 'v1.0.0', pointing to commit A, and a malicious actor takes over the Action X repository,
+they can add harmful code in commit B.
+They could then change the 'v1.0.0' tag to point to commit B instead.
+If you use 'action-x@v1.0.0' in your workflow, you would download code from commit A one day and from commit B the next, without realizing it.
+
+Commit hashes refer to specific commits, giving you more confidence about the version of the Action you are downloading.
+While it is not impossible to generate the same hash with different content, it is very difficult.
+
+### Maintenance
+
+Dependabot supports commit hashes in workflows.
+When a new version of an Action is released, it can update both the commit hash and the accompanying human-readable comment.
+This makes maintenance fairly straightforward.
+
+### Changing a workflow to use hashes
+
+We have used [pin-github-action](https://www.npmjs.com/package/pin-github-action) to change our workflows from version numbers to hashes.
+Use this command to get the correct format:
+
+```sh
+npx pin-github-action -c " {ref}" /path/to/workflow.yaml
+```
+
+### Further reading
+
+- [Maturity levels of using GitHub Actions Securely](https://devopsjournal.io/blog/2021/12/11/GitHub-Actions-Maturity-Levels)