A free solution to the GitHub Actions supply chain crisis

I wrote a post last year on pinning GitHub actions by commit SHA, where I highlighted 3 issues that come with this move:

Loss of vulnerability alerts (see limitations with Dependabot security alerts)
Higher maintenance costs from managing hashes across all your repositories (neither Renovate nor Dependabot version updates will solve this as you still have to manually verify the influx of action updates you’ll get)
Potential waste of effort as GitHub has released Immutable releases

Yo Dawg, I heard you like GitHub Actions, so I'm releasing immutable releases so you can release a release where the tags can't be re-released

I thought long and hard to come up with this

Given this trade-off, I wouldn’t have judged anyone who stuck with semantic versioning, in the hopes that all their actions would eventually adopt Immutable releases.

Unfortunately time waits for no man. Checkmarx, a renowned brand in the AppSec space, had one of their actions compromised, triggering further downstream incidents.

So, you have to proceed with pinning by commit SHA. What do you do?

Solution

You start by implementing the internal action wrapper I mention in my previous post. That is…

create a new repository and add actions to that repo that are just wrappers of the third-party actions
in these new wrappers, pin the external dependencies by commit SHA
in your workflows, replace the third-party actions with the internal wrappers; you can pin these actions either by branch name, or by semantic version if needed

Now you have a single place where you manage all those pesky hashes. Great!

Problem is, you’re still missing out on vulnerability alerts. Enter an earth-shattering idea:

create a new workflow - doesn’t matter where, you’ll never run it
add the external actions you’re using to the workflow
pin these external dependencies by the semantic version corresponding to the commit SHA you’re using

Dependabot Security alerts will thus work on your external dependencies again. Yay!

As with most (all?) things in life, however, you trade one problem for another. The conundrum - how to maintain consistency between the new workflow, and the internal action wrappers? I’ll pause my thinking here though; might write another post to address this if there’s demand.

Want to talk? I'm on LinkedIn; please add a message when you connect. Alternatively, use this contact form. And, subscribe if you want to be notified about new blog posts.