Skip to main content

Security

In the following, we'll discuss some security considerations when using the release-plz GitHub action and how to mitigate them.

Using latest version

The examples provided in the documentation use the latest version of the release-plz GitHub action.

For example, the following snippet uses the v0.5 version of the release-plz GitHub action:

jobs:
release-plz:
name: Release-plz
runs-on: ubuntu-latest
steps:
- ...
- name: Run release-plz
uses: release-plz/[email protected]

This script updates this tag to whatever the latest 0.5.x version is. This means that if the latest version of release-plz is 0.5.34, with v0.5 you will use that version. If tomorrow, release-plz 0.5.35 is released, you will use that version without the need to update your workflow file.

While this is great for new features and bug fixes, it can also be a security risk.

⚠️ Risk: malicious code published on your crates.io crate

An attacker who manages to push and tag malicious code to the GitHub action repository could use your cargo registry token to push malicious code to your crate on crates.io. This means you or your users could download and run the malicious code.

✅ Solution: pin the action version

To mitigate this risk, you can use a specific version of the release-plz GitHub action. By specifying a commit hash, the action won't be updated automatically.

For example:

jobs:
release-plz:
name: Release-plz
runs-on: ubuntu-latest
steps:
- ...
- name: Run release-plz
uses: release-plz/action@63ab0c2746bedc448370bad4b0b3d536458398b0 # v0.5.50

This is the same approach used in the crates.io repository.