Skip to content

Maintenance: remove allow list from untrusted workflows #1440

Closed
@dreamorosi

Description

@dreamorosi

Summary

The project has a workflow that runs on every push or pull requests that is in charge of checking that any workflow used in the repo is applying GitHub's best practices around version pinning.

Currently there's a set of vendors that are considered trusted and that will be exempted from this check. After discussing this internally we have decided to remove this allow-list and check all 3rd party workflows moving forward.

Why is this needed?

To improve even further the security posture of workflows and apply zero trust.

Which area does this relate to?

Automation

Solution

No response

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.

Metadata

Metadata

Assignees

Labels

automationThis item relates to automationcompletedThis item is complete and has been merged/shippedinternalPRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions