Feature: Hash-pin sensitive workflow dependencies and enable dependabot for them #331
Description
Hi, I'm Diogo and I'm back (see #324 and #328). At the issue #324 I suggested you to set minimal permissions to your workflows. Now I'm coming back to suggest a modification that would provide extra safety for the workflows that yet require dangerous permissions (e.g., pull-requests: write or repository-projects: write).
Problem
Your workflow ci-update-workflow.yml is using dangerous permissions and secrets while running external dependencies pinned only by tag. Those patterns could be dangerous because if any of those actions get hijacked (and at the end they're all repositories and are susceptible to attacks like any other), an attacker could change the code that your tags point to, gaining access to your secrets and/or write permissions to your repository.
Proposed Solution
A simple solution for this problem would be to hash-pin those sensitive actions, pointing the actions to the very specific commit of that release. It follows and example of the change:
- uses: r-lib/actions/pr-fetch@v1
would become
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v1.3.1
And this would enforce that your action is always running at the expected code.
The only downsize of this solution is that it gets trickier to manually update the version of the actions as they get out-of-date, but that can be solved by using a Dependency-Update-Tool (like dependabot or renovatebot). I saw that you already have dependabot enabled to your GO dependencies, so my suggestion is to set it up to also update workflow dependencies -- we can configure it to update all workflow dependencies in a single monthly PR, for example. For the case of the hash-pinning, the PRs would still keep a comment with the human-readable version used =).
Conclusion
I'll take the liberty of raising a PR implementing my suggestions, so that it becomes easier for you to evaluate. Let me know if you have any questions or concerns.
Thanks!