harden the use of third-party GH actions by using explicit SHAs for a…

…ny unverified providers
neon-bindings · May 6, 2024 · 895361e · 895361e
1 parent 4091edf
commit 895361e
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 24 deletions.
diff --git a/pkgs/create-neon/data/templates/ci/github/build.yml.hbs b/pkgs/create-neon/data/templates/ci/github/build.yml.hbs
@@ -36,7 +36,7 @@ jobs:
       matrix: {{#$}} steps.matrix.outputs.result {{/$}}
     steps:
       - name: Checkout Code
-        uses: actions/checkout@{{versions.actions.checkout}}
+        uses: actions/checkout@{{versions.actions.verified.checkout}}
         with:
           ref: {{#$}} inputs.ref {{/$}}
       - name: Setup Neon Environment
@@ -49,7 +49,7 @@ jobs:
         run: echo "json=$(npx neon show ci github | jq -rc)" | tee -a $GITHUB_OUTPUT
       - name: Compute Matrix
         id: matrix
-        uses: actions/github-script@{{versions.actions.githubScript}}
+        uses: actions/github-script@{{versions.actions.verified.githubScript}}
         with:
           script: |
             const platforms = {{#$}} steps.matrixData.outputs.json {{/$}};
@@ -75,7 +75,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@{{versions.actions.checkout}}
+        uses: actions/checkout@{{versions.actions.verified.checkout}}
         with:
           ref: {{#$}} inputs.ref {{/$}}
       - name: Setup Neon Environment
@@ -105,7 +105,7 @@ jobs:
           echo filename=$(basename $(npm pack ./platforms/{{#$}} matrix.cfg.platform {{/$}} --silent --pack-destination=./dist --json | jq -r '.[0].filename')) | tee -a $GITHUB_OUTPUT
       - name: Release
         if: {{#$}} inputs.github-release {{/$}}
-        uses: softprops/action-gh-release@{{versions.actions.ghRelease}}
+        uses: softprops/action-gh-release@{{versions.actions.unverified.ghRelease.sha}} # {{versions.actions.unverified.ghRelease.tag}}
         with:
           files: ./dist/{{#$}} steps.pack.outputs.filename {{/$}}
           tag_name: {{#$}} inputs.tag {{/$}}
@@ -116,7 +116,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@{{versions.actions.checkout}}
+        uses: actions/checkout@{{versions.actions.verified.checkout}}
         with:
           ref: {{#$}} inputs.ref {{/$}}
       - name: Setup Neon Environment
@@ -131,7 +131,7 @@ jobs:
           echo "filename=$(npm pack --silent --pack-destination=./dist)" | tee -a $GITHUB_OUTPUT
       - name: Release
         if: {{#$}} inputs.github-release {{/$}}
-        uses: softprops/action-gh-release@{{versions.actions.ghRelease}}
+        uses: softprops/action-gh-release@{{versions.actions.unverified.ghRelease.sha}} # {{versions.actions.unverified.ghRelease.tag}}
         with:
           files: ./dist/{{#$}} steps.pack.outputs.filename {{/$}}
           tag_name: {{#$}} inputs.tag {{/$}}
diff --git a/pkgs/create-neon/data/templates/ci/github/release.yml.hbs b/pkgs/create-neon/data/templates/ci/github/release.yml.hbs
@@ -74,7 +74,7 @@ jobs:
           fi
           echo publish=true | tee -a $GITHUB_OUTPUT
       - name: Checkout Code
-        uses: actions/checkout@{{versions.actions.checkout}}
+        uses: actions/checkout@{{versions.actions.verified.checkout}}
       - name: Setup Neon Environment
         uses: ./.github/actions/setup
         with:
@@ -112,15 +112,15 @@ jobs:
       contents: write
     steps:
       - name: Checkout Code
-        uses: actions/checkout@{{versions.actions.checkout}}
+        uses: actions/checkout@{{versions.actions.verified.checkout}}
         with:
           ref: {{#$}} needs.setup.outputs.ref {{/$}}
       - name: Setup Neon Environment
         uses: ./.github/actions/setup
         with:
           use-rust: false
       - name: Fetch
-        uses: robinraju/release-downloader@{{versions.actions.releaseDownloader}}
+        uses: robinraju/release-downloader@{{versions.actions.unverified.releaseDownloader.sha}} # {{versions.actions.unverified.releaseDownloader.tag}}
         with:
           tag: {{#$}} needs.setup.outputs.tag {{/$}}
           fileName: "*.tgz"

diff --git a/pkgs/create-neon/data/templates/ci/github/setup.yml.hbs b/pkgs/create-neon/data/templates/ci/github/setup.yml.hbs
@@ -31,13 +31,13 @@ runs:
   using: "composite"
   steps:
     - name: Set Environment Variables
-      uses: falti/dotenv-action@{{versions.actions.dotenv}}
+      uses: falti/dotenv-action@{{versions.actions.unverified.dotenv.sha}} # {{versions.actions.unverified.dotenv.tag}}
       with:
         path: ./.github/.env
         export-variables: true
         keys-case: bypass
     - name: Install Node
-      uses: actions/setup-node@{{versions.actions.setupNode}}
+      uses: actions/setup-node@{{versions.actions.verified.setupNode}}
       with:
         node-version: {{#$}} env.NODE_VERSION {{/$}}
         registry-url: {{#$}} env.NPM_REGISTRY {{/$}}
@@ -53,14 +53,14 @@ runs:
       working-directory: {{#$}} inputs.workspace {{/$}}
     - name: Install Rust
       if: {{#$}} inputs['use-rust'] == 'true' {{/$}}
-      uses: actions-rs/toolchain@{{versions.actions.setupRust}}
+      uses: actions-rs/toolchain@{{versions.actions.verified.setupRust}}
       with:
         toolchain: {{#$}} env.RUST_VERSION {{/$}}
         target: {{#$}} steps.target.outputs.target {{/$}}
         override: true
     - name: Install cross-rs
       if: {{#$}} inputs['use-cross'] == 'true' {{/$}}
-      uses: baptiste0928/cargo-install@{{versions.actions.cargoInstall}}
+      uses: baptiste0928/cargo-install@{{versions.actions.verified.cargoInstall}}
       with:
         crate: cross
     - name: Node Version

diff --git a/pkgs/create-neon/data/templates/ci/github/test.yml.hbs b/pkgs/create-neon/data/templates/ci/github/test.yml.hbs
@@ -54,7 +54,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@{{versions.actions.checkout}}
+        uses: actions/checkout@{{versions.actions.verified.checkout}}
       - name: Setup Neon Environment
         id: neon
         uses: ./.github/actions/setup

diff --git a/pkgs/create-neon/data/versions.json b/pkgs/create-neon/data/versions.json
@@ -11,15 +11,28 @@
   },
   "node": "20",
   "actions": {
-    "checkout": "v3",
-    "githubScript": "v7",
-    "setupNode": "v3",
-    "setupRust": "v1",
-    "cargoInstall": "v2",
-    "neonBuild": "v0.9",
-    "neonPublish": "v0.4.1",
-    "dotenv": "v1",
-    "ghRelease": "v1",
-    "releaseDownloader": "v1.7"
+    "verified": {
+      "checkout": "v3",
+      "githubScript": "v7",
+      "setupNode": "v3",
+      "setupRust": "v1",
+      "cargoInstall": "v2",
+      "neonBuild": "v0.9",
+      "neonPublish": "v0.4.1"
+    },
+    "unverified": {
+      "dotenv": {
+        "tag": "v1.1.2",
+        "sha": "d1cd55661714e830a6e26f608f81d36e23424fed"
+      },
+      "ghRelease": {
+        "tag": "v2.0.4",
+        "sha": "9d7c94cfd0a1f3ed45544c887983e9fa900f0564"
+      },
+      "releaseDownloader": {
+        "tag": "v1.10",
+        "sha": "c39a3b234af58f0cf85888573d361fb6fa281534"
+      }
+    }
   }
 }