GitHub Actions, like open source dependencies, are vulnerable to malicious attacks. Pinning GitHub Actions to their digests (instead of using floating tags) is recommended by GitHub: it’s the only way to use an Action as an immutable release, so that you’re always using a known-good version even if the source repo is compromised. Likewise, for containers, the digest is a unique identifier for the content of an image. Once an image is built, its digest will always refer to that specific build, ensuring immutability and consistency.
Only 2% of public GitHub repos pin actions to digests today, probably because it’s a tedious process. But there are now ways to automate this!
Join Stacklok Engineers Juan Antonio "Ozz" Osario & Jakub Hrozek for this CNCF Livestream as they explore some free and open source tools you can use to automate pinning container images and Actions by their digests and demo how they work.
July 17, 2024
9am PT / 12pm ET / 16:00 UTC