GitHub Actions, like open source dependencies, are vulnerable to malicious attacks. Pinning GitHub Actions to their digests (instead of using floating tags) is recommended by GitHub: it’s the only way to use an Action as an immutable release, so that you’re always using a known-good version even if the source repo is compromised. Likewise, for containers, the digest is a unique identifier for the content of an image. Once an image is built, its digest will always refer to that specific build, ensuring immutability and consistency. Only 2% of public GitHub repos pin actions to digests today, probably because it’s a tedious process. But there are now ways to automate this! In this livestream, we’ll explore some free and open source tools you can use to automate pinning container images and Actions by their digests and demo how they work.
Presented by:
Stacklok