pin actions/cache to a full-length commit SHA#199
pin actions/cache to a full-length commit SHA#199aleksandra-bozhinoska-sonarsource merged 1 commit intoSonarSource:masterfrom
Conversation
As per https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions it is recommended to pin actions to sha's instead of versions to increase security.
|
Hey @daantimmer, thank you for your suggestion! |
|
But you are a third party for many others. Which means this GitHub policy can't be enforced when there is a dependency on sonarqube. |
I see your point, thanks for clarifying. And to better understand your concern, is it that you would like to enforce this policy, or are you worried that it may be enforced by Github at some point? |
|
I’d like to add my support for @daantimmer’s request, we also want to enforce this policy across our repositories. Enabling this new setting (see screenshot) in the GitHub Actions settings currently prevents the Workflow fails with the following error: Configuration: - name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@8c71dc039c2dd71d3821e89a2b58ecc7fee6ced9 # v5.3.0 |
aleksandra-bozhinoska-sonarsource
left a comment
There was a problem hiding this comment.
Thank you @daantimmer for your contribution!
@gbrune, many thanks for your argumentation as well!
We will include this improvement in the next release (which will happen ASAP).
1a6d90e
into
SonarSource:master
|
FYI: This change killed the action for us on GitHub Enterprise Server where the referenced commit doesn't exist yet. |
GitHub suggests pinning actions to SHAs (not versions). If you’re using sonarqube-scan-action, it could break if that check ever gets turned on. Reference: As per https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
In general it's recommended to only pin to SHAs and have a dependabot scan update the SHAs for you.