Skip to content

chore: lock gh actions on sha instead of tag #715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 2, 2023
Merged

chore: lock gh actions on sha instead of tag #715

merged 2 commits into from
Mar 2, 2023

Conversation

npalm
Copy link
Collaborator

@npalm npalm commented Feb 26, 2023
edited
Loading

Description

A good practice in supply chain security is to have immutable builds. Currently GH tags for actions are mutable, even when a specific tag like x.y.z is used. Therefore, this PR locks the actions on the SHA. Dependabot can update the actions based on SHA, including the comments poitning to the underlying version.

Migrations required

NO

Verification

n/a

@npalm npalm requested a review from kayman-mk as a code owner February 26, 2023 11:18
@github-actions
Copy link
Contributor

Hey @npalm! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

  • the problem being solved
  • the best way a reviewer and you can test your changes

With submitting this PR you confirm that you have the rights of the code added and agree that it will published under the MIT license.

This message was generated automatically. You are welcome to improve it.

kayman-mk
kayman-mk requested changes Feb 26, 2023
View reviewed changes
@npalm npalm requested a review from kayman-mk February 26, 2023 14:16
@npalm npalm mentioned this pull request Feb 26, 2023
Merged
@npalm
Copy link
Collaborator Author

npalm commented Mar 2, 2023

@kayman-mk can you check this tiny PR please?

kayman-mk
kayman-mk approved these changes Mar 2, 2023
View reviewed changes
Copy link
Collaborator

@kayman-mk kayman-mk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guess the SHA256 values are correct ;-)

@npalm
Copy link
Collaborator Author

npalm commented Mar 2, 2023

Guess the SHA256 values are correct ;-)

Yup used a nice tool to generate them. And random check some

@npalm npalm merged commit 8746f14 into main Mar 2, 2023
@kayman-mk kayman-mk deleted the lock-actions branch March 20, 2023 19:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kayman-mk kayman-mk kayman-mk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@npalm @kayman-mk