diff --git a/content/actions/creating-actions/about-actions.md b/content/actions/creating-actions/about-actions.md index 740b23b443..5f7e2bd249 100644 --- a/content/actions/creating-actions/about-actions.md +++ b/content/actions/creating-actions/about-actions.md @@ -122,7 +122,7 @@ steps: #### Using a commit's SHA for release management -Each Git commit receives a calculated SHA value, which is unique and immutable. Your action's users might prefer to rely on a commit's SHA value, as this approach can be more reliable than specifying a tag, which could be deleted or moved. However, this means that users will not receive further updates made to the action. Using a commit's full SHA value instead of the abbreviated value can help prevent people from using a malicious commit that uses the same abbreviation. +Each Git commit receives a calculated SHA value, which is unique and immutable. Your action's users might prefer to rely on a commit's SHA value, as this approach can be more reliable than specifying a tag, which could be deleted or moved. However, this means that users will not receive further updates made to the action. {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}You must use a commit's full SHA value, and not an abbreviated value.{% else %}Using a commit's full SHA value instead of the abbreviated value can help prevent people from using a malicious commit that uses the same abbreviation.{% endif %} ```yaml steps: diff --git a/content/actions/learn-github-actions/finding-and-customizing-actions.md b/content/actions/learn-github-actions/finding-and-customizing-actions.md index 97dfcb35b8..c3d0c6b444 100644 --- a/content/actions/learn-github-actions/finding-and-customizing-actions.md +++ b/content/actions/learn-github-actions/finding-and-customizing-actions.md @@ -71,7 +71,7 @@ steps: #### Using SHAs -If you need more reliable versioning, you should use the SHA value associated with the version of the action. SHAs are immutable and therefore more reliable than tags or branches. However this approach means you will not automatically receive updates for an action, including important bug fixes and security updates. This example targets an action's SHA: +If you need more reliable versioning, you should use the SHA value associated with the version of the action. SHAs are immutable and therefore more reliable than tags or branches. However this approach means you will not automatically receive updates for an action, including important bug fixes and security updates. {% if currentVersion == "free-pro-team@latest" or currentVersion ver_gt "enterprise-server@3.0" %}You must use a commit's full SHA value, and not an abbreviated value. {% endif %}This example targets an action's SHA: ```yaml steps: diff --git a/content/actions/learn-github-actions/security-hardening-for-github-actions.md b/content/actions/learn-github-actions/security-hardening-for-github-actions.md index deb87de4f2..56b4aab9ca 100644 --- a/content/actions/learn-github-actions/security-hardening-for-github-actions.md +++ b/content/actions/learn-github-actions/security-hardening-for-github-actions.md @@ -54,11 +54,13 @@ This means that a compromise of a single action within a workflow can be very si Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. + {% if currentVersion ver_lt "enterprise-server@3.1" %} {% warning %} **Warning:** The short version of the commit SHA is insecure and should never be used for specifying an action's Git reference. Because of how repository networks work, any user can fork the repository and push a crafted commit to it that collides with the short SHA. This causes subsequent clones at that SHA to fail because it becomes an ambiguous commit. As a result, any workflows that use the shortened SHA will immediately fail. {% endwarning %} + {% endif %} * **Audit the source code of the action** diff --git a/content/actions/reference/workflow-syntax-for-github-actions.md b/content/actions/reference/workflow-syntax-for-github-actions.md index 4030b05950..190adf244c 100644 --- a/content/actions/reference/workflow-syntax-for-github-actions.md +++ b/content/actions/reference/workflow-syntax-for-github-actions.md @@ -518,7 +518,7 @@ Actions are either JavaScript files or Docker containers. If the action you're u ```yaml steps: # Reference a specific commit - - uses: actions/setup-node@74bc508 + - uses: actions/setup-node@c46424eee26de4078d34105d3de3cc4992202b1e # Reference the major version of a release - uses: actions/setup-node@v1 # Reference a minor version of a release