Pin actions to a specific commit instead of branches / tags

Pinning a composite GitHub Action to a specific commit SHA is considered [best practice](https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions), but TBH it's an absolute pain, especially with the number of other actions we depend on.

I'm re-evaluating that idea due to the recent [TeamPCP campaign](https://ramimac.me/teampcp/#timeline), which initially used a compromised GitHub Action to steal credentials from other projects, and has been slowly using those credentials. (some more information about that: https://www.sans.org/blog/when-security-scanner-became-weapon-inside-teampcp-supply-chain-campaign).

We should pin all "untrusted" GitHubActions that we are using to specific commits (right now, make that the latest commit of the tag  or branch they are currently pinned to). That is, we'll change all actions that are not:

* from the `actions` user, which is owned by GitHub
    * we use these everywhere, so upgrading the pinned SHA would be multiple magnitudes more work than pinning to tags.
    * if GitHub itself is compromised, we have much bigger issues.
* the official `pypa/gh-action-pypi-publish` action
    * this helps us switch to trusted publishing, which reduces the number credentials that could be compromised in an attack
    * again, if pypa is compromised, the python ecosystem will have much bigger problems elsewhere in our stack
* any of our own actions

The full list that I've found, split between myself and @rajeswari1301:

Myself:

* [legal-tech-class](https://github.com/SuffolkLITLab/legal-tech-class/blame/33c4a1337a81a99e4a1afbc556417f3fb460f5f4/.github/workflows/deploy.yml#L28): https://github.com/SuffolkLITLab/legal-tech-class/pull/38
* [student_reflictions](https://github.com/SuffolkLITLab/student_reflections/blob/de362006d3e1d230db08f2c597c40ae8a9dde59d/.github/workflows/fly-deploy.yml#L15): https://github.com/SuffolkLITLab/student_reflections/pull/1
* [MAVirtualCourt](https://github.com/SuffolkLITLab/docassemble-MAVirtualCourt/blob/7796cb24a907753ed23341ee6823c7b62bb47261/.github/workflows/auto_close_empty_issues.yml#L12): https://github.com/SuffolkLITLab/docassemble-MAVirtualCourt/pull/773
* [MAHousingTRO](https://github.com/SuffolkLITLab/docassemble-MAHousingTRO/blob/000ac239e96514ca32b7de0ba8869ce39c281651/.github/workflows/auto_close_empty_issues.yml#L12): https://github.com/SuffolkLITLab/docassemble-MAHousingTRO/pull/41
* ALActions/black: https://github.com/SuffolkLITLab/ALActions/pull/78

@rajeswari1301 

* [EfileProxyServer](https://github.com/SuffolkLITLab/EfileProxyServer/blob/aa6e183bbee7c40337e9ff661edba6c5666b7e83/.github/workflows/fly.yml#L20) (and [this action too](https://github.com/SuffolkLITLab/EfileProxyServer/blob/aa6e183bbee7c40337e9ff661edba6c5666b7e83/.github/workflows/fly-prod-release.yml#L19)): https://github.com/SuffolkLITLab/EfileProxyServer/pull/359
* [docassemble-AssemblyLine-documentation](https://github.com/SuffolkLITLab/docassemble-AssemblyLine-documentation/blob/8f64c4d9619fb0023ecd45b263c288ab9d64f545/.github/workflows/deploy.yml#L65): https://github.com/SuffolkLITLab/docassemble-AssemblyLine-documentation/pull/599
* [LITEFile](https://github.com/SuffolkLITLab/LITEFile/blob/8d831205acaf3624531ff567f71515a17bf60059/.github/workflows/fly-deploy.yml#L15): https://github.com/SuffolkLITLab/LITEFile/pull/93

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pin actions to a specific commit instead of branches / tags #76

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Pin actions to a specific commit instead of branches / tags #76

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions