Description
GitHub Actions across workflow files use mutable tags (@v4, @v3, @v6) instead of commit SHA pins. A compromised upstream action repository can silently inject malicious code into the CI pipeline.
The same pattern applies to container images:
secrets-job.yaml:24 uses quay.io/jumpstarter-dev/jumpstarter-utils:latest without digest pinning- Flasher driver hardcodes
:latest OCI bundles at jumpstarter_driver_flashers/driver.py:19
SLSA attestation (attest-build-provenance@v1) exists but verification is consumer-opt-in.
Suggested Fix
- Pin GitHub Actions to commit SHA digests
- Add Dependabot configuration for GitHub Actions updates
- Pin container images by digest
Description
GitHub Actions across workflow files use mutable tags (
@v4,@v3,@v6) instead of commit SHA pins. A compromised upstream action repository can silently inject malicious code into the CI pipeline.The same pattern applies to container images:
secrets-job.yaml:24usesquay.io/jumpstarter-dev/jumpstarter-utils:latestwithout digest pinning:latestOCI bundles atjumpstarter_driver_flashers/driver.py:19SLSA attestation (
attest-build-provenance@v1) exists but verification is consumer-opt-in.Suggested Fix