SEC-090: Automated trusted workflow pinning (2023-07-18) #175

hashicorp-tsccr · 2023-07-18T16:24:30Z

You can alter the configuration of this automation via the hcl config in hashicorp/security-tsccr/automation

This is in support of RFC SEC-090 which is due to be implemented by EOQ2 FY24.

Please do the following:

Approve and merge this PR if you are happy with the changes.
Check if there are any untrusted third-party Actions in the workflow files and onboard them to the TSCCR.
The yaml comments "# TSCCR: no entry for repository..." or "# TSCCR: no version of..." in the workflow files identifies an untrusted Action.
If you have to onboard any third-party Actions, update and pin your workflows using the tsccr-helper tool after the Actions have been onboarded OR reach out to #team-prodsec and we can run this automation again.
Verify that your Actions are still working as expected after pinning.

Please reach out to #team-prodsec if you have any questions.

nywilken

LGTM

hashicorp-tsccr bot requested a review from a team as a code owner July 18, 2023 16:24

hashicorp-tsccr bot added the SEC-090 Auto-pinning label Jul 18, 2023

hashicorp-tsccr bot and others added 2 commits September 11, 2023 14:46

Result of tsccr-helper -log-level=info -pin-all-workflows .

039bf27

Pin hashicorp/setup-packer to SHA version

9adf089

nywilken force-pushed the tsccr-auto-pinning/trusted/2023-07-18 branch from 3c07f77 to 9adf089 Compare September 11, 2023 18:50

nywilken approved these changes Sep 11, 2023

View reviewed changes

nywilken merged commit 9342d06 into main Sep 11, 2023

nywilken deleted the tsccr-auto-pinning/trusted/2023-07-18 branch September 11, 2023 18:51

Provide feedback