workflows: Stop pinning actions that are not security relevant #2479
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These workflows have no real security relevance (runtime, build or test) in the sense that a compromise in the dependencies could not compromise python-tuf security:
There is also no significant reproducibility issue as these are not part of the test suite. These are all "tier 3" dependencies as documented in #2014 (comment)
Stop pinning the actions used in these workflows (except the common actions that are used everywhere like actions/checkout: use the same version of those everywhere). The benefit here is fewer Dependabot PRs: If we had done this from the start we'd have skipped ~70 PRs by now.
The interesting permissions used in these workflows are
security-events: write
This can add things onto the "Security" tab in GitHubid-token: write
This allows OIDC authentication, but only as this specific workflowThese permissions look completely acceptable to me.