From da398bd4c2f4d32b2bfff833a05c8e000e793e6a Mon Sep 17 00:00:00 2001
From: Protobuf Team Bot <protobuf-github-bot@google.com>
Date: Tue, 29 Aug 2023 07:06:43 -0700
Subject: [PATCH] Hash pin github workflows

## Description

I would like to suggest a security practice recommended by the [OpenSSF Scorecard][scorecard-repo] which is to hash pin dependencies to prevent typosquatting and tag renaming attacks.

The change would only be applied to GitHub workflows.

This means hash pinning GitHub Workflow actions.

Along with hash-pinning dependencies, I also recommend adopting dependabot (or other dependency update tool) to help keep the dependencies up to date. Most tools can update hashes and associated semantic version comments.

Any questions or concerns just let me know.
Thanks!

## Additional Context

A tag renaming attack is a type of attack whereby an attacker:
- Hijack an action.
- Upload a malicious version.
- Replace existing tags with malicious versions.

A [typosquatting attack][typosquatting] is a type of attack whereby an attacker:
- Create a malicious package
- Publish it with a similar name of a known package (example: numpi instead of numpy)

For more informations about the dependency-update tools:
- [Dependabot][dependabot]

[scorecard-repo]: https://github.com/ossf/scorecard
[deps-confusion]: https://www.websecuritylens.org/how-dependency-confusion-attack-works-and-how-to-prevent-it/
[typosquatting]: https://snyk.io/blog/typosquatting-attacks/
[dependabot]: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
[renovatebot]:https://www.mend.io/renovate/

PiperOrigin-RevId: 561019142
---
 .github/dependabot.yml          | 8 ++++++++
 .github/workflows/test_cpp.yml  | 2 +-
 .github/workflows/test_java.yml | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000000..f4538061c8
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # Necessary to update action hashs
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    # Allow up to 3 opened pull requests for github-actions versions
+    open-pull-requests-limit: 3
\ No newline at end of file
diff --git a/.github/workflows/test_cpp.yml b/.github/workflows/test_cpp.yml
index 137fad6e74..ff0dbac9c1 100644
--- a/.github/workflows/test_cpp.yml
+++ b/.github/workflows/test_cpp.yml
@@ -7,7 +7,7 @@ on:
         required: true
         description: "The SHA key for the commit we want to run over"
         type: string
-        
+
 permissions:
   contents: read
 
diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml
index b3e6a4cacb..6270741a22 100644
--- a/.github/workflows/test_java.yml
+++ b/.github/workflows/test_java.yml
@@ -110,6 +110,6 @@ jobs:
       run: |
         sudo rm -rf _build
     - name: Validate Protobuf BOM
-      uses: googleapis/java-cloud-bom/tests/validate-bom@v26.13.0
+      uses: googleapis/java-cloud-bom/tests/validate-bom@fd56f04bb0bc581776a74031591f0b3bc5e7920a # v26.13.0
       with:
         bom-path: java/bom/pom.xml