Can we consider enabling "immutable" releases on this repo to reduce the risk of supply chain security attacks?
https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases#what-immutable-releases-protect
Here's a related article from astral wherein they explain their approach is to "require all actions to be pinned to specific commits (rather than tags or branches, which are mutable)". So in my CI I could already do so like this
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
but I was curious if we could start a discussion about using immutable releases directly on this repo so uses: actions/checkout@v6.0.2 would also be immutable?
In practice most users are unaware of these details, most docs (including this repo's README.md) don't suggest pinning to specific commits, and it's a bit ugly.
The threat model here is that if any of my 3rd party actions (like this one) have their accounts or CI/CD compromised then an existing release could be overwritten with a malicious one and execute malicious code in the CI/CD of thousands of dependent Github projects.
Can we consider enabling "immutable" releases on this repo to reduce the risk of supply chain security attacks?
https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases#what-immutable-releases-protect
Here's a related article from astral wherein they explain their approach is to "require all actions to be pinned to specific commits (rather than tags or branches, which are mutable)". So in my CI I could already do so like this
but I was curious if we could start a discussion about using immutable releases directly on this repo so
uses: actions/checkout@v6.0.2would also be immutable?In practice most users are unaware of these details, most docs (including this repo's README.md) don't suggest pinning to specific commits, and it's a bit ugly.
The threat model here is that if any of my 3rd party actions (like this one) have their accounts or CI/CD compromised then an existing release could be overwritten with a malicious one and execute malicious code in the CI/CD of thousands of dependent Github projects.