Skip to content

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#643

Open
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-actions-to-commit-shas
Open

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#643
XananasX7 wants to merge 1 commit into
google:mainfrom
XananasX7:fix/security-pin-actions-to-commit-shas

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

Several workflow files reference GitHub Actions pinned to mutable version tags (e.g. @v4.2.2, @v4.1.7, @v1.13.0, @0.15.0). Tags are mutable — an attacker who gains write access to an upstream Action repository can silently move a tag to point to malicious code, which then executes in re2's CI pipelines and release workflows.

The release workflow has id-token: write and attestations: write permissions, making a compromised Action particularly dangerous (Sigstore signing can be abused, release artifacts tampered with).

Affected files

  • .github/workflows/ci.yml
  • .github/workflows/ci-cmake.yml
  • .github/workflows/ci-bazel.yml
  • .github/workflows/pages.yml
  • .github/workflows/python.yml
  • .github/workflows/release.yml
  • .github/workflows/release-bazel.yml

Vulnerability class

Supply-chain attack via mutable Action tag references (CWE-829). See GitHub Security hardening guide.

Fix

All actions are now pinned to their full immutable commit SHA with the version tag as an inline comment for human readability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant