ADR-013 Pinning Versions
Date: 21-08-2025
Status
✅ Accepted
Context
Package management tools and similar marketplace ecosystems (npm, github actions etc) have seen an increase in the number of supply chain attacks. The recent successful exploitation of tj-actions/changes-files where all existing releases and tags where repointed to malicous code is a prime example of the direction attacks are taking.
Similar supply chain attacks have happend to most of the common providers with popular libraries and base docker images being obvious targets due to their widespread use. These are happening more frequently and as they are generally part of our build steps there is significant security risks such as exfiltration of secrets and credentials.
Decision
All github actions will be imported using the specific git sha / hash (example: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0). Use renovate to aid in keeping this updated with its helpers:pinGitHubActionDigests configuration option.
Where possible, docker images will be pinned to specific sha (example: golang:1.24.4-alpine@sha256:68932fa6d4d4059845c8f40ad7e654e626f3ebd3706eef7846f319293ab5cb7a). Renovate has a docker:pinDigests helper to keep these updated.
Where possible, application code will pin to specific versions of dependancies with their respective package managers.
Consequences
- Initial effort required to find and update current GitHub actions
- Additional overhead when creating and updating docker images to be be more exact
- Extra care when using third party tools