ci: pin actions versions with hashes#652
Open
mdevolde wants to merge 1 commit into
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ci: pin actions versions with hashes
I have pinned the versions of the actions used in the workflows with hashes.
Pinning GitHub Actions to a commit hash is an effective safeguard against supply chain attacks. By referencing a specific and immutable version of an action, you prevent compromised versions from being automatically integrated into your pipelines.
Because I bumped versions of some actions, I checked the breaking changes in the involved actions, and our workflows are not concerned by these breaking changes.
Here is the link to the tags for the actions I've pinned, if you want to check the hashes:
Pinning versions requires some maintenance, as you must perform manual upgrades regularly. However, in your case, with workflows that handle secrets (such as
secrets.KEYSTOREorsecrets.PROPERTIES), it’s a best practice to avoid trouble.