OIDC examples don't pin external actions (& don't declare them)

[janbrasna]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

1. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform#requesting-the-access-token
2. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
3. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure#requesting-the-access-token
4. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault#requesting-the-access-token
5. https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#updating-your-github-actions-workflow

What part(s) of the article would you like to see updated?

    steps:
    - id: 'auth'
      name: 'Authenticate to GCP'
      uses: 'google-github-actions/[email protected]'
      with:

should pin a hash instead, also the reusable disclaiming 3rdparty usage should be added.

Additional information

This is analogous for all the pages mentioned, for both # Requesting and # Revoking examples.

[janbrasna]

Or do I remember it wrong and it's mandatory only in starter-workflows …?

[nguyenalex836]

@janbrasna Thanks so much for opening an issue!

Or do I remember it wrong and it's mandatory only in starter-workflows …?

We'll get to the bottom of this during review! ✨

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[janbrasna]

it's definitely here:

• {% data reusables.actions.actions-not-certified-by-github %}
• {% data reusables.actions.actions-use-sha-pinning %}

and definitely being used e.g. in docker examples… but now i can't seem to be able to locate any guidelines for that in the style guide or writing examples.

[nguyenalex836]

@janbrasna Thank you for your patience while our engineering team reviewed this issue! They responded with the following -

... touching on a general concern where a maintainer of an action can change what the v2 branch or v2.1.5 tag points to. By pointing to a specific commit SHA, you can be confident exactly what you're getting regardless of what ever else the maintainers do. This comes at the cost of needing to keep these versions updated as the maintainers create new releases.

... there are trade offs in both approaches, more security or ease of managing upgrades. Users who want can try to get a balance of both by using SHAs and turning on Dependabot to open PRs when never versions are available.

Still, I don’t know if we want to align all of GitHub docs purely on SHA pinning or not. Directing users to the links above about considerations is my preference.

• https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
• https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses
• https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Let us know if you have any thoughts regarding the above! For now, I'll add the help wanted label to this issue so that you, or anyone else, can make these updates 💛

[janbrasna]

Still, I don’t know if we want to align all of GitHub docs purely on SHA pinning or not.

That.

Seems like a random mix of pins somewhere, and not declaring 3rdparty elsewhere. (Don't have a solution/opinion myself.)

[janbrasna]

FYI I was not concerned about tips for writing own workflows or hardening thereof per se — but a consistency in example code shown for various topics that use 3rdparty actions, as the reusables already in place would signal to be the preference… just not applied site-wide and not expressed as a rule/guideline anywhere.

Where it is explicitly stated is e.g. here:
https://github.com/actions/starter-workflows/blob/f81606ba01cd6142d264a19ddf8cc2a485a86576/.github/pull_request_template.md?plain=1#L50-L58

• This workflow must only use actions that are produced by GitHub, in the actions organization, or
• This workflow must only use actions that are produced by the language or ecosystem that the workflow supports. These actions must be published to the GitHub Marketplace. We require that these actions be referenced using the full 40 character hash of the action's commit instead of a tag. Additionally, workflows must include the following comment at the top of the workflow file: […]

[nguyenalex836]

@janbrasna Apologies on behalf of our bot! Opening this help wanted issue back up now 💛