Skip to content

[bug] Allow unpinned actions #2909

Description

@funnelfiasco

Currently our release workflow fails with:
Error: The action slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v2.1.0 is not allowed in guacsec/guac because all actions must be pinned to a full-length commit SHA.

This is because we have the Require actions to be pinned to a full-length commit SHA setting enabled on this repo.

However, the SLSA generator action requires a tag instead of a hash:

At present, the GitHub Actions provided in this repository as builders and generators MUST be referenced by tag in order for the slsa-verifier to be able to verify the ref of the trusted builder/generator's reusable workflow. It also needs to be referred as @vX.Y.Z, because the build will fail if you reference it via a shorter tag like @vX.Y or @vX.

As a result, we can't generate provenance and keep this setting on. This setting reduces security risks, but since we use Kusari Inspector to catch insecure workflows more generally, we can disable this in GitHub and still catch unpinned actions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpriorityPretty important

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions