Skip to content

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#8731

Open
XananasX7 wants to merge 1 commit into
tensorflow:masterfrom
XananasX7:fix/security-pin-actions-to-commit-shas
Open

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#8731
XananasX7 wants to merge 1 commit into
tensorflow:masterfrom
XananasX7:fix/security-pin-actions-to-commit-shas

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

Three workflow files (tfjs-ci.yml, tfjs-nightly-release-and-publish-test.yml, tfjs-release-branch-publish-test.yml) reference GitHub Actions pinned to mutable version tags (@v4, @0.14.0). Tags are mutable — if an upstream Action repository is compromised, the new malicious code executes automatically in every workflow run.

Vulnerability class

Supply-chain attack via mutable Action tag references (CWE-829).

Actions pinned (before → after)

Action Was Now
actions/checkout @v4 @34e114876b0b11c390a56381ad16ebd13914f8d5
bazel-contrib/setup-bazel @0.14.0 @e8776f58fb6a6e9055cbaf1b38c52ccc5247e9c4
actions/setup-node @v4 @49933ea5288caeca8642d1e84afbd3f7d6820020

Fix

All actions are now pinned to their full immutable commit SHA with the version tag as an inline comment for human readability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant