[mmmaantu]

SHA pinning won't necessarily help if the dependency you are pinning doesn't pin its own dependencies! You still get stuff pulled via vulnerable tags etc. How long till we get this https://github.com/github/roadmap/issues/592 ...

[sepositus]

Yes, this is a crucial distinction to make. The fact of the matter is that you have to treat GitHub Actions like a compromised system. Sure, there's not a ton of steps you can take for protecting builds if it's your primary builder, but you can for example not hook up an AWS account with full admin privileges to it (which I've seen more times than I would have like to).

[bracketfocus]

https://github.com/features/preview/immutable-actions

They are actually releasing this very soon. I’ve seen some of my workflows use an immutable OCI image for some of GH’s actions like actions/checkout.

[sureIy]

Isn't that wrong? I think you have to pre-bundle your actions, it won't do an npm install.

[mikepurvis]

I set up this recently at a new company and did yarn + ncc to build a compiled js out of typescript. It was a bit hairy as a novice, but ended up working fine.

That protects from npm supply chain stuff, but obviously third-party includes like docker/build-push-action are still a risk.

[thenaturalist]

Thanks for highlighting this open issue.

The fact they've been stalling this for a good 2.5 years is... insane??

[daveisfera]

I don't believe that's true. If you pin to a hash, then it will always run that version and can't change