[slf4j-dev] [JIRA] Updates for SLF4J-591: Reference GitHub Actions by SHA and Dependency Update tool

slf4j developers list slf4j-dev at qos.ch
Wed Jun 14 21:36:00 CEST 2023 

SLF4J / SLF4J-591 [Open]
Reference GitHub Actions by SHA and Dependency Update tool

==============================

Here's what changed in this issue in the last few minutes.

This issue has been created
This issue is now assigned to you.


View or comment on issue using this link
https://jira.qos.ch/browse/SLF4J-591

==============================
 Issue created
------------------------------

Diogo Teles Sant Anna created this issue on 14/Jun/23 21:25

Summary:              Reference GitHub Actions by SHA and Dependency Update tool
Issue Type:           Improvement
Assignee:             SLF4J developers list
Created:              14/Jun/23 21:25
Priority:             Minor
Reporter:             Diogo Teles Sant Anna
Severity:             enhancement
Description:
  Hi!
  
  I'd like to know if you are interested in a PR to update your GitHub workflows to refer to external actions by their SHAs. This is the only way to guarantee that you're using an immutable version of the code, which might protect you from tags being moved to malicious or buggy commits. It's a recommendation from [GitHub itself|https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions] and from security tools like Scorecard.
  
  Although it's more reliable and secure, a clear downsize of this change is the difficulty of maintenance, and that is why at this same Jira ticket I'd like to ask if you have considered using an Dependency Update tool, such as [Dependabot|https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/] or [Renovatebot|https://www.mend.io/renovate/].
  
  Those Dependency Update tools might be useful to help manage the Java dependencies of SLF4J, but also have an an extra security impact because they would always highlight  security patches from dependencies, once their available. Additionally, they're specially handy because they automatically update the SHAs of the GitHub Actions, also making sure to leave the human-readable version as a comment =) .
  
  Let me know what you think of those ideas, I'll be happy to help achieve them.
  
  h4. Additional Context
  I'm Diogo and I work on Google's Open Source Security Team([GOSST|https://opensource.googleblog.com/2023/04/googles-open-source-security-upstream-team-one-year-later.html]) in cooperation with the Open Source Security Foundation ([OpenSSF|https://openssf.org/]). My core job is to suggest and implement security changes on widely used open source projects 😊


==============================
 This message was sent by Atlassian Jira (v9.6.0#960000-sha1:a3ee8af)

More information about the slf4j-dev mailing list