Github Actions are a vulnerability vector because most users either don’t pin the versions or only pin to a specific version number which can easily be mutated. This specific issue can currently be remedied by pinning to a specific commit but it’s cumbersome so few projects do that. Today I learned that Renovate has a very handy preset called pinGitHubActionDigestsToSemver that pins the version you specify to the exact commit which adds lots of security to your CI actions.
Just add "helpers:pinGitHubActionDigestsToSemver" the the extends key of renovate.json and let Renovate run again
in the repo. It turns this:
# .github/workflows/your_workflow.yml
# ...
- name: Deploy to Cloudflare Pages
uses: cloudflare/wrangler-action@3.14.1
# ...into this:
# .github/workflows/your_workflow.yml
# ...
- name: Deploy to Cloudflare Pages
uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3.14.1
# ...Its nice to have these kinds of low-hanging security fruit for free!