You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@beam.apache.org by "Kenneth Knowles (Jira)" <ji...@apache.org> on 2021/05/15 17:59:03 UTC

[jira] [Updated] (BEAM-11035) Pin versions of "untrusted" 3rd-party GitHub Actions

     [ https://issues.apache.org/jira/browse/BEAM-11035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kenneth Knowles updated BEAM-11035:
-----------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Resolved)

Hello! Due to a bug in our Jira configuration, this issue had status:Resolved but resolution:Unresolved.

I am bulk editing these issues to have resolution:Fixed

If a different resolution is appropriate, please change it. To do this, click the "Resolve" button (you can do this even for closed issues) and set the Resolution field to the right value.

> Pin versions of "untrusted" 3rd-party GitHub Actions
> ----------------------------------------------------
>
>                 Key: BEAM-11035
>                 URL: https://issues.apache.org/jira/browse/BEAM-11035
>             Project: Beam
>          Issue Type: Bug
>          Components: build-system, testing
>            Reporter: Tobiasz Kedzierski
>            Assignee: Tobiasz Kedzierski
>            Priority: P1
>              Labels: security
>          Time Spent: 1h
>  Remaining Estimate: 0h
>
> [https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions]
> quote:
> Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)