Change AWS container version from number to SHA

Problem to solve

In #31167 (closed), we provided a container that can be called using the version number. Calling the container by the version number introduces a vulnerability that can be used as an exploit. We should use the signature (SHA256) instead of the version number to add a layer of security

Intended users

Sasha (Software Developer)

Further details

https://julienrenaux.fr/2019/12/20/github-actions-security-risk/

Proposal

In #31167 (closed), we provided a container that can be called using the version number, as in the example below:

deploy:
  stage: deploy
  image: gitlab/gitlab-awsclient@1.0
  script:
    - aws ..."

We need to change this to

deploy:
  stage: deploy
  image: gitlab/gitlab-awsclient@**SHA256**
  script:
    - aws ..."

Permissions and Security

Documentation

Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Links / references

https://lobste.rs/s/7tgnbe/use_github_actions_at_your_own_risk

Edited Mar 28, 2021 by Thao Yeager