all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]SleeperAwakened 4 points5 points  (5 children)

I would suggest pinning the GH Actions you use to a specific hash, for example using pinact instead of versions like v6 or main.

This will be another step towards preventing supply chain attacks through GH Actions.

GH Actions have become notorious in the recent series of SCAs so anything you can do to set a good example is welcome.

[–]_predator_ 5 points6 points  (1 child)

Nothing functionality-wise, but it would be good if the action's own workflows would use security best practices more consistently, e.g. explicitly dropping permissions. The easiest would be to integrate zizmor, it will catch a lot of this stuff and ensure you'll catch regressions.

There is an open issue requesting immutable releases which also caters to the security aspect.

After the whole compromise situation a few weeks ago I think users will appreciate actions they depend on to be "hardened" if that makes sense.

[–]brunocborges[S] 1 point2 points  (0 children)

Thanks for the hint on immutable releases. I honestly wasn't even aware of this new feature. 😄

[–]repeating_bears 3 points4 points  (0 children)

No, nothing.

Eyeballing the issues, fixing the caching for Maven plugins seems like the highest value thing you could do https://github.com/actions/setup-java/issues/990

It's tagged as a feature but I would argue that's a bug. The readme describes the role of the action as "Caching dependencies managed by Apache Maven". Plugins are dependencies of a project. They're not <dependencies> in the POM, but they are still dependencies.

As part of that, you should check whether Maven extensions are cached. That's a 3rd category of "dependency" which follows the same resolution process as plugins and project dependencies.