[openstreetmap/openstreetmap-website] Lock GitHub Actions dependencies to SHAs for security and predictability (PR #6332)

Nicholas La Roux notifications at github.com
Tue Aug 19 02:04:38 UTC 2025


larouxn left a comment (openstreetmap/openstreetmap-website#6332)

To be clear, SHA pinning GitHub Actions dependencies is considered a best practice because someone could:
1. Release a bugged/infected/malicious version which without pinning runs would automatically use. Example: `actions/upload-artifact` is locked to v4 now so while the latest is v4.6.2, someone could release a v4.6.3, v4.7.0, v4.x.x and runs would automatically use that next time they run. A vulnerability.
2. More concerning to me, an existing tagged release could be moved to a new commit. Example: `actions/upload-artifact`'s latest release is v4.6.2 which our runs use automatically re: v4 specified version. Someone could in fact pull down the pushed v4.6.2 tag and re-tag a different commit with v4.6.2 and push that up and the next runs would automatically use that instead. A vulnerability.

:information_source: I'll admit that given this repo is only using official GitHub, Ruby, and Coveralls GitHub Actions dependencies the risk of the above happening is rather low compared to if we were using an action from an arbitrary GitHub account but the risk still exists.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/6332#issuecomment-3198969289
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/6332/c3198969289 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250818/9ee8a548/attachment.htm>


More information about the rails-dev mailing list