Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The problem is actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 probably doesn’t do this same pinning, and the actions ecosystem is such an intertwined mess that any single compromised action can propagate to the rest


Yes, true, but at least the fire won't spread through this one point. Hopefully all of your upstreams can be persuaded to pin also.


Doesn't a single compromised action in the chain cause the whole to be fucked? Pinning the top level doesn't prevent any spread.


Might want to vendor everything?


That’s the way to go indeed. We’ve done it, not difficult, just a bit of gruntwork to keep them updated when needed


I don't know what this means in this context.


Make copies of the entire GitHub action dependency tree.


Well, it is a git commit hash of the action repo that contains the transpiled/bundled javascript.

Like: https://github.com/actions/checkout/tree/11bd71901bbe5b1630c...

So I'm pretty sure that for the same commit hash, I'll be executing the same content.


This is true specifically for actions/checkout, but composite actions can have other actions as dependencies, and unless the composite action pins the versions of its dependencies, it is vulnerable for this attack.

This article[0] gives a good overview of the challenges, and also has a link to a concrete attack where this was exploited.

[0]: https://nesbitt.io/2025/12/06/github-actions-package-manager...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: