Feature: Support GitHub Immutable Actions, don't enforce pinning by digest for those #4489
Comments
|
Can you link the "Consuming immutable actions" reference, or is the link broken (private github.com/github repository)?
My initial thought is that pinning by SHA should be acceptable to both tools. When I tried to find more info, I found this issue upstream (github/codeql-action#2659) which implies that the alert shouldn't be firing anymore (not sure if they agree about SHAs, but rather it was meant to be internal for now).
Agreed, which is what led me to open one of the issues you linked (actions/publish-immutable-action#216).
Also agree, but thanks for sharing the link! |
|
Well, the funny thing is that the "Consuming immutable actions" link points to nothing 😅 : https://github.com/github/codeql/blob/main/actions/ql/src/Security/CWE-829/UnversionedImmutableAction.md?plain=1 If CodeQL truly decides to drop this check, fine with me! I'll let you choose whether to close this feature request. I agree that pinning by digest should still be viewed as "a good thing". |
Is your feature request related to a problem? Please describe.
GitHub started to rollout Immutable Actions using a new publishing method.
GitHub CodeQL started to raise issues for Actions that are "immutable" and not pulled by tag.
So at the moment:
Warn: GitHub-owned GitHubAction not pinned by hashDescribe the solution you'd like
Ideally, we would update Scorecard to take into account the new GitHub Immutable Actions. When an Action is an Immutable one, we would not tel the developer to pin the action by digest.
The current list of Immutable Actions used by CodeQL can be found here. Far from ideal, but it's a starting point.
Describe alternatives you've considered
At the moment, I'm dismissing the Scorecard findings one by one, but it still affects the score of public repositories negatively.
Additional context
Related issues:
The text was updated successfully, but these errors were encountered: