Mirrors
/
protobuf
mirror of https://github.com/protocolbuffers/protobuf.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Hash pin github workflows 

## Description

I would like to suggest a security practice recommended by the [OpenSSF Scorecard][scorecard-repo] which is to hash pin dependencies to prevent typosquatting and tag renaming attacks.

The change would only be applied to GitHub workflows.

This means hash pinning GitHub Workflow actions.

Along with hash-pinning dependencies, I also recommend adopting dependabot (or other dependency update tool) to help keep the dependencies up to date. Most tools can update hashes and associated semantic version comments.

Any questions or concerns just let me know.
Thanks!

## Additional Context

A tag renaming attack is a type of attack whereby an attacker:
- Hijack an action.
- Upload a malicious version.
- Replace existing tags with malicious versions.

A [typosquatting attack][typosquatting] is a type of attack whereby an attacker:
- Create a malicious package
- Publish it with a similar name of a known package (example: numpi instead of numpy)

For more informations about the dependency-update tools:
- [Dependabot][dependabot]

[scorecard-repo]: https://github.com/ossf/scorecard
[deps-confusion]: https://www.websecuritylens.org/how-dependency-confusion-attack-works-and-how-to-prevent-it/
[typosquatting]: https://snyk.io/blog/typosquatting-attacks/
[dependabot]: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
[renovatebot]:https://www.mend.io/renovate/

PiperOrigin-RevId: 561019142
pull/13765/head
Protobuf Team Bot 2023-08-29 07:06:43 -07:00 committed by Copybara-Service
parent 332352113c
commit da398bd4c2
3 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/dependabot.yml vendored Normal file
View File

@ -0,0 +1,8 @@
version: 2
updates:
- package-ecosystem: "github-actions" # Necessary to update action hashs
directory: "/"
schedule:
interval: "weekly"
# Allow up to 3 opened pull requests for github-actions versions
open-pull-requests-limit: 3

2
.github/workflows/test_cpp.yml vendored
View File

@ -7,7 +7,7 @@ on:
required: true
description: "The SHA key for the commit we want to run over"
type: string
permissions:
contents: read

2
.github/workflows/test_java.yml vendored
View File

@ -110,6 +110,6 @@ jobs:
run: |
sudo rm -rf _build
- name: Validate Protobuf BOM
uses: googleapis/java-cloud-bom/tests/validate-bom@v26.13.0
uses: googleapis/java-cloud-bom/tests/validate-bom@fd56f04bb0bc581776a74031591f0b3bc5e7920a # v26.13.0
with:
bom-path: java/bom/pom.xml