security: harden GitHub actions

[m1rm]

Latest issues with security regarding GitHub Actions workflows are not new. This PR applies some basic hardening.

• set persists-credentials to false on checkout action
• use commit hashes for actions instead of @versionNumber

Source: https://phpunit.expert/articles/hardening-github-actions-workflows.html

[m1rm]

if the question arirses, why not do more that is (for example) mentioned in the article: I wanted to keep it simple. For example pinning the actions to commit hashes is as simple as an improvement but comes with the cost of additional maintenance load. I am happy include that, too, just let me know.

[jelly]

Thanks!

[jelly]

Thanks!

Note that it doesn't seem to be too bad these days as since v6:

Improved credential security: persist-credentials now stores credentials in a separate file under $RUNNER_TEMP instead of directly in .git/config

[jelly]

Looked at this again, it doesn't really make sense we don't set any permissions on the token

[m1rm]

its just for credentials not being persisted on disk. The token used by the checkout action is that "magic" GITHUB_TOKEN used by GitHub. As stated in the article:

"By default, the actions/checkout action writes the workflow's GITHUB_TOKEN into .git/config so that later steps can push commits or call the GitHub API on behalf of the workflow. For most jobs that token is never needed again after the checkout. It sits in the working directory until the job ends." (outdated regarding the write location)

Not sure how the upstream change improves it, writing to a temp dir still is writing to disk for the time the runner runs if I understand correctly.

[christian-heusel]

For example pinning the actions to commit hashes is as simple as an improvement but comes with the cost of additional maintenance load. I am happy include that, too, just let me know.

This is not really much of an overhead FYI as dependabot can deal with it when the initial format is there, see for example https://github.com/kubeflow/notebooks/pull/1062/changes

[m1rm]

@christian-heusel thx, nice to now! I was not sure if dependabot can deal with it (I know it can with @vesionNumber and wasnt sure about the commit hashes).

[m1rm]

I updated the actions using commit hashes and also latest versions. I made separate commits to provide some info in the commit message regarding major github action version changes (I can squash those to one if you like).

Should I also add the dependabot config for updates? we could run it like once a month?

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"