Hash-pin workflow dependencies, keep them updated with DependabotΒ #55216
Description
Suggestion
π Search Terms
github action, hash-pin, dependabot
β Viability Checklist
My suggestion meets these guidelines:
- This wouldn't be a breaking change in existing TypeScript/JavaScript code
- This wouldn't change the runtime behavior of existing JavaScript code
- This could be implemented without emitting different JS based on the types of the expressions
- This isn't a runtime feature (e.g. library functionality, non-ECMAScript syntax with JavaScript output, new syntax sugar for JS, etc.)
- This feature would agree with the rest of TypeScript's Design Goals.
β Suggestion
When developing with CI workflows, it's common to version-pin dependencies (i.e. actions/checkout@v3). However, version tags are mutable, so a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.
Pinning workflow dependencies by hash ensures the dependency is immutable and its behavior is guaranteed.
These dependencies can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating both its hash and the version comment (see this repo as an example).
I'll send a PR pinning the dependencies and adding dependabot along with this issue.
π Motivating Example
The new-release-branch.yml workflow runs with contents: write permissions, and the workflow commits directly to the repository. That workflow (like any others) relies on the actions/setup-node@v3 Action.
If an attacker manages to take over the actions/setup-node Action, they could release a malicious @v3 version of the Action which would run whenever new-release-branch runs. They could use it to add their own malicious code to the next release based on that branch.
However, if TypeScript instead uses actions/setup-node@[hash], the Action's behavior is guaranteed: we will always run the same exact version each time.
π» Use Cases
#N/A