In light of GitHub's commitment to npm ecosystem security | The GitHub Blog – I am wondering how GitHub plans to ensure the GitHub actions ecosystem also remains secure in the event of third-party action repository takeovers. As suggested in Security hardening for GitHub Actions - GitHub Docs – the safest way at the moment is to pin any third-party actions to a commit SHA, but unfortunately most documentation on GitHub and in third-party actions suggest to pin to a major version (e.g.
@v1), which means it will automatically pull in subsequent tags for that major version.
This is especially troubling for third-party actions which are invoked in an authenticated context. They could not only access the
GITHUB_TOKEN, but it could also compromise cloud-accounts such as AWS if precautions are not taken.
These are problems that have already been solved in other ecosystems, through things like caching layers (to guarantee the resource does not change), multi-factor verification when publishing new versions of a package, and ensuring that previously published packages cannot be modified. At the very least, it seems that GitHub should promote security best practices in all places in their documentation, instead of expecting someone to find and read the security section. Even better if this could be enforced through a process or convention.
PS: this is even more of a nightmare when using an action that itself references other actions. The only way to get around that is to fork the action and maintain it yourself, or copy the action into your repository.