Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workflows: Stop pinning actions that are not security relevant #2479

Merged
merged 1 commit into from
Oct 9, 2023
Merged

workflows: Stop pinning actions that are not security relevant #2479

merged 1 commit into from
Oct 9, 2023

Conversation

jku
Copy link
Member

@jku jku commented Oct 2, 2023
edited
Loading

These workflows have no real security relevance (runtime, build or test) in the sense that a compromise in the dependencies could not compromise python-tuf security:

  • scorecards
  • dependency-review
  • codeql-analysis

There is also no significant reproducibility issue as these are not part of the test suite. These are all "tier 3" dependencies as documented in #2014 (comment)

Stop pinning the actions used in these workflows (except the common actions that are used everywhere like actions/checkout: use the same version of those everywhere). The benefit here is fewer Dependabot PRs: If we had done this from the start we'd have skipped ~70 PRs by now.

The interesting permissions used in these workflows are

  • security-events: write This can add things onto the "Security" tab in GitHub
  • id-token: write This allows OIDC authentication, but only as this specific workflow

These permissions look completely acceptable to me.

@jku
workflows: Stop pinning actions that are not security relevant
f005825 
These workflows have no real security relevance (runtime build or test)
in the sense that a compromise in the dependencies could compromise
python-tuf security:
* scorecards
* dependency-review
* codeql-analysis

Stop pinning the actions used in them (except the common actions that
are used everyewhere like actions/checkout: use the same version of
those everywhere). The benefit here is fewer Dependabot PRs: If we had
done this from the start we'd have skipped ~70 PRs by now.

The interesting permissions used in these workflows are
 * security-events: write
   This can add things onto the "Security" tab in GitHub
 * id-token: write
   This allows OIDC authentication, but only as this specific workflow

These permissions look completely acceptable to me.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
@jku jku mentioned this pull request Oct 2, 2023
Closed
joshuagl
joshuagl approved these changes Oct 3, 2023
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels very pragmatic. +1

@jku jku merged commit 00b67c0 into theupdateframework:develop Oct 9, 2023
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuagl joshuagl joshuagl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jku @joshuagl