Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(.github): pin actions to commit-hash #153

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

build(.github): pin actions to commit-hash #153

wants to merge 1 commit into from
+78 −78

Conversation

Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Mar 20, 2025
edited
Loading

After what has been happening with tj-actions/changed-files over the past week this is probably a sensible idea.

@RafaelGSS even wrote about it a while back!

Checklist

@Fdawgs Fdawgs marked this pull request as ready for review March 20, 2025 18:55
jsumners
jsumners reviewed Mar 20, 2025
View reviewed changes
.github/workflows/plugins-benchmark-pr.yml
@@ -103,7 +103,7 @@ jobs:
pull-requests: write
steps:
- name: Comment PR
uses: thollander/actions-comment-pull-request@v3
uses: thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74 # v3
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my opinion, this one is good, but we don't need to use hashes on the GitHub owned actions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did consider not using hashes for GitHub's official actions as they should (hopefully) be more secure than third-party actions, but official actions aren't immune from being compromised, so pinned them just to help me sleep better at night. 😄

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not immune. But highly unlikely. I think the maintenance cost is too high to use hashes on GH maintained actions.

Copy link
Member Author

@Fdawgs Fdawgs Mar 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot is active in this repo so it'll open PRs for updates for us.

RafaelGSS
RafaelGSS approved these changes Mar 21, 2025
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW dependabot and renovatebot automatically update those dependencies in the same way as git tags.

@Fdawgs
Copy link
Member Author

Fdawgs commented Mar 21, 2025
edited
Loading

FWIW dependabot and renovatebot automatically update those dependencies in the same way as git tags.

That's fine as this repo doesn't automerge dependabot updates, so someone will now need to manually review and merge, adding an extra layer of security. :)

mcollina
mcollina approved these changes Mar 21, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Fdawgs Fdawgs requested review from gurgunday and jsumners March 30, 2025 08:20
gurgunday
gurgunday approved these changes Mar 30, 2025
View reviewed changes
Copy link
Member

@gurgunday gurgunday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm if @jsumners is convinced, I feel like this trades convenience for security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcollina mcollina mcollina approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

@gurgunday gurgunday gurgunday approved these changes

@jsumners jsumners Awaiting requested review from jsumners

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Fdawgs @mcollina @jsumners @RafaelGSS @gurgunday