René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Hash-pin GitHub Actions to increase workflow resiliency ","articleBody":"# Feature or enhancement\n\n### Proposal:\n\nWhen developing with CI workflows, it's common to version-pin dependencies (i.e. `actions/checkout@v3`). Such major-version pins can be useful in that you get immediate access to the latest version of each Action. However, this also makes the project vulnerable should a broken or malicious release be published. However, version tags are mutable, so minor version tags aren't the best solution, since a malicious attacker could overwrite a version tag to point to a malicious or vulnerable commit instead.\n\nHash-pinning workflow dependencies ensures the dependency is immutable and its behavior is guaranteed.\n\nThese hashes (and comments indicating the respective version) can be kept up-to-date by dependabot, which cpython already uses. However, the current configuration (ignoring patch and minor version bumps, set in #92186) would need to be modified. My understanding of the motivation for #92186 was the flood of PRs generated by dependabot. However, this concern can be mostly eliminated by relying on dependabot's new [grouped updates](https://github.blog/2023-08-24-a-faster-way-to-manage-version-updates-with-dependabot/); dependabot can now be configured to send a single PR per month updating all Actions at once (see [this example](https://github.com/pnacht/libarchive/pull/1)). \n\nI'll send a PR pinning the Actions and changing dependabot's configuration along with this issue.\n\n---\n\nHey, I'm Pedro. I work with Google and the [OpenSSF](https://openssf.org/) to [help](https://opensource.googleblog.com/2023/04/googles-open-source-security-upstream-team-one-year-later.html) critical projects improve their supply-chain security. \n\n### Has this already been discussed elsewhere?\n\nThis is a minor feature, which does not need previous discussion elsewhere\n\n### Links to previous discussion of this feature:\n\nI previously suggested this change to pypa/setuptools, where I had an [excellent exchange](https://github.com/pypa/setuptools/issues/4025) with @jaraco. I recommend taking a look at our conversation there.\n\nThe conclusion there was that the change wasn't feasible for that project. My understanding is that the main \"hurdle\" was the project's use of [jaraco/skeleton](https://github.com/jaraco/skeleton) as its template. Unfortunately, keeping the hashes updated in the skeleton and its \"child\" repositories would lead to frequent conflicts when merging skeleton updates into the repositories. The maintainers therefore reasonably concluded (and I couldn't really disagree) that the benefits of hash-pinning weren't worth the significant overhead they would cause in that situation.\n\nHowever, I believe the situation for CPython is much more straightforward. The \"overhead\" here would be merging at most one dependabot PR per month.\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-109111\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/pnacht","@type":"Person","name":"pnacht"},"datePublished":"2023-09-07T20:22:47.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":4},"url":"https://github.com/109110/cpython/issues/109110"}