Skip to content

ci: pin HashiCorp custom Actions to full commit SHAs to prevent supply-chain attacks#13660

Closed
XananasX7 wants to merge 1 commit into
hashicorp:mainfrom
XananasX7:fix/security-pin-hashicorp-actions-to-commit-shas
Closed

ci: pin HashiCorp custom Actions to full commit SHAs to prevent supply-chain attacks#13660
XananasX7 wants to merge 1 commit into
hashicorp:mainfrom
XananasX7:fix/security-pin-hashicorp-actions-to-commit-shas

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

build.yml and create-release-branch.yml reference HashiCorp's own GitHub Actions using mutable version tags and a branch reference (@v1, @v2, @main). Even first-party actions in separate repositories should be pinned — a compromised signing key or a supply-chain incident in any of the hashicorp/actions-* repos would immediately affect Packer's build and release pipelines.

The build.yml workflow generates release artifacts for multiple platforms (Linux, macOS, Windows) and Docker images, making it a high-value target.

Actions pinned

Action Mutable ref Pinned SHA
hashicorp/actions-set-product-version @v1 @e2c49d61aff17b1280ddfe7bb031331d02ca0140
hashicorp/actions-generate-metadata @main ⚠️ @a43468dfb100445f2c2aa52cdc3d57b2c982a0f3
hashicorp/actions-go-build @v1 @dd7ca5a30c402c933e1fe61e0ff7165e5c4ee9e4
hashicorp/actions-packaging-linux @v1 @006298649be64cee63e7f94a54dfcf3e14766bf6
hashicorp/actions-docker-build @v2 @e12557abf02a40557313ab2839d6cd2c6705261e
hashicorp/actions-create-release-branch @v1 @96a01e83eb1055a66f2097029b50801ff926fea3

Vulnerability class

Supply-chain attack via mutable Action tag/branch references (CWE-829).

@tanmay-hc

Copy link
Copy Markdown
Collaborator

Thanks for creating the PR. This has been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants