What problem does your feature solve?
The tibdex/github-app-token action used in update-completed-sprint-on-issue-closed.yml workflows across stellar org repos is a third-party action, but it has its version as a branch/tag instead of a SHA. Also the action is archived and has in its README a statement directing users to migrate to actions/create-github-app-token.
Per GitHub's security hardening documentation, third-party actions should be pinned to a full-length commit SHA rather than a tag, because tags can be moved or deleted if a bad actor gains access to the repository. A compromise of a single action within a workflow can be significant, as the compromised action would have access to all secrets configured on the repository.
What would you like to see?
Migrate all stellar org repos to use actions/create-github-app-token@v1, GitHub's official first-party alternative. Using the official action removes the need for SHA pinning since GitHub-maintained actions are trusted and verified.
Affected public repos (20):
Private repos using this workflow also need updating.
Change required in each repo:
- uses: tibdex/github-app-token@v1
+ uses: actions/create-github-app-token@v1
What alternatives are there?
Pin tibdex/github-app-token to a full-length commit SHA instead of a tag version.
cc @stellar/platform-eng @stellar/enterprise-eng
What problem does your feature solve?
The
tibdex/github-app-tokenaction used inupdate-completed-sprint-on-issue-closed.ymlworkflows across stellar org repos is a third-party action, but it has its version as a branch/tag instead of a SHA. Also the action is archived and has in its README a statement directing users to migrate toactions/create-github-app-token.Per GitHub's security hardening documentation, third-party actions should be pinned to a full-length commit SHA rather than a tag, because tags can be moved or deleted if a bad actor gains access to the repository. A compromise of a single action within a workflow can be significant, as the compromised action would have access to all secrets configured on the repository.
What would you like to see?
Migrate all stellar org repos to use
actions/create-github-app-token@v1, GitHub's official first-party alternative. Using the official action removes the need for SHA pinning since GitHub-maintained actions are trusted and verified.Affected public repos (20):
Private repos using this workflow also need updating.
Change required in each repo:
What alternatives are there?
Pin
tibdex/github-app-tokento a full-length commit SHA instead of a tag version.cc @stellar/platform-eng @stellar/enterprise-eng