<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/75620>75620</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            CI: Hashpin sensitive workflow dependencies and install dependabot to update them
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          diogoteles08
      </td>
    </tr>
</table>

<pre>
    Hi, I'm Diogo and I'm back (see #69736). At the issue #69736 I suggested you to set minimal permissions to your workflows. Now I'm coming back to suggest a modification that would provide extra safety for the workflows that yet require dangerous permissions (e.g., contents: write).

### Problem

Your workflows [release-binaries.yml](https://github.com/llvm/llvm-project/blob/main/.github/workflows/release-binaries.yml) and [release-tasks.yml](https://github.com/llvm/llvm-project/blob/main/.github/workflows/release-tasks.yml) are using dangerous permissions while running external dependencies pinned only by tag. Both are using external unpinned GitHub Actions, and the release-tasks.yml is also installing unhashed Python dependencies (see https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode). Those patterns could be dangerous because if any of those actions get hijacked (and at the end they're all repositories and are susceptible to attacks like any other), an attacker could change the code that your tags point to, gaining access to your secrets and/or write permissions to your repository.

### Proposed Solution

A solution for this problem would be to hash-pin those sensitive dependencies. For the GitHub Actions, we'd point the actions to the very specific commit of that release. It follows an example of the change:

```
- uses: r-lib/actions/pr-fetch@v1 
would become
- uses: r-lib/actions/pr-fetch@11a22a908006c25fe054c4ef0ac0436b1de3edbe # v1.3.1
```

And this would enforce that your action is always running at the expected code.

For the python dependency, we could install them using Python [hash-checking mode](https://pip.pypa.io/en/stable/topics/secure-installs/#hash-checking-mode).

The only downsize of those solutions is that it gets trickier to manually update the version of the actions as they get out-of-date, but that can be solved by using a Dependency-Update-Tool (like dependabot or renovatebot). We can configure it to update all workflow dependencies in a single monthly PR, for example -- for security updates, the tool would immediately create the PRs regardless of the frequency set. For the case of the hash-pinning, the PRs would still keep a comment with the human-readable version used =).

### Conclusion

I'll take the liberty of raising a PR implementing my suggestions, so that it becomes easier for you to evaluate. Let me know if you have any questions or concerns.

</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy8Vk2P47gR_TXypWBBpvzRPvjQMw1nBgiCwWSCIMcSVbK4pkgtWbJH-fVBUVK7e7f3sECwgDEDNT-q6tV7j4UxmosjOmW7T9nuZYUDtz6cauMvnslSLJ5Wla_H0xeTqc_wNVOHDl5kFdDV83eF-gqZeopEkKlyfzyU-0wdc3hm4JbAxDg8VuArxOFyochUw-gHYA-RGDrjTIcWegqdidF4F2Vp9EOAuw_Xxvp7zOEf_j6H1b4z7jJFlzumSwGh87VpjEY23gG3yHD3g62hD_5magL6yQEhYkM8QuNDSvI1xHRiJIZAvw4mENToLhT8EN_llqknyi-5wKK9Y3Ics_IZ7sEwSfVZ8ZIVz_O_qpx-8C34ylL3dvE_7yrMPqvsuch2nwJZwkjryjgMhmI-djbbvWTqqWXuJVamzpk6Xwy3Q5Vr32XqbO1t-W_dB_8Lac7UubK-ytS5Q-Mydc6nE5k6P4Kq84fh1DG1-U02jPH6V6XyiKWOEywYCIYoXf-4J_fWWIIwOCd76CdTcGihpp5cTU4bitAb56gG7-wI1QiMlxw-eW7hcfnrwcHNu_9m-MtQwbMWTkXpueAivPldsmAioI0ejIuM1sqFg2sxtlTDt5Fb794nNCvnPZS96fN-7DE3PlNnErAiY2UpU2f2vdECVCQ9BFrPgWI6WUqktW5JX427rDtfJzbCj9ZHgh5ZSougkyKqt-SuSOMQCUwD6EbwDXA6g1PRcCGG1vyC-kq1JC0I4KRwmsAYM3UIBGgtBOp9NOyFSgkrQTcOUVPPprIkikVm1NcI1lxpCsktBWl2wndepzAnq1tJNcXTvqZZpyIexkuE3hvHwF4OX9AkBqDWFB82EkkH4pRPps4-TGL90HFe8x__WMi9j1TDP70dBKC3254hzn-d_cVEcR9R_uxFVUIg9ao3bkY6kouGzY3eESSH8-xRv2fhnTJ1qJfa20ez2KfPG4URYk9aDFEcszM8dRZ5oW4OXxkab5P5oQP6iV1vadpGM-xCzLc47Iv5lz7XMERK9hfW1oieccnx3Id1Q6zbbFvcNjDtXzDQvqM_dcNmg0rhsXgqir1Wu4aK3VZvqSlQF9tyX21qKqmu0msDt01e5psPE57blGhr4twTco0P-i2xphwmRd9xjK_WsvD-Z09a3jEh5DuiLC3rfyP4ceraTOlZubKzm71ndohs9-mdkCEJ-QPP_X8bxdsifrQ0-WTt7y6a_9LDFBZ-RwEnAWZYHCICB6OvhoJQsEM3oLUjDH2NTAslRWoLvRbCYkwOklzGD7z2zVqOCFzVwFMIjU6EE729US3mPUGG8PIK7_pfKdL6h_dWTCp5y4Q-Vp7Bi7SdvyFT5Tk5478pXay9a8xlCCSVsF9SlvYsj9N73zYOECQBS9B5x60d4dt3SVg0v6hovU6fqQOGFySSeKV8ljwn-pmuo9ogkx1BB1rw-vY9QqALhtqKl82wNTKcSMEyOz0cQmN8Fe5iLkLYJZxcNkWLbKyFK1EPmIyBHMPdcDudHTp060BYC5VeezaI4WXlyx_PN5-903aIv_FDGdiE5nidarKmosDpjQlo5iZ--w5GIJNMEuPHZaZb3C76V6pN3hGBMArXBOJ5lqQb2gGZcvi7TJUEV-fv8qjJeou36an5dZjvFUZo77S8inNNq_pU1sfyiCs6bQ6F2u-eikO5ak9E9bbcoD7UWGNTHfT-sD2WtWqaTV0WB1yZkypUuVGb3WZfbssybzZP-rg9ImrC49OhybYFdWhsLmNR7sNllYbj02G3V8XKYkU2pllcKUf3aXLOlJLRPJzSKFUNl5htC2six8ctbNjS6fNXMdAvGFt5Ux6vycf8lVd5MaA3CnlQX1xpNQR7-tNTXspbbCbV9b8AAAD__6gAPL4">