Merge pull request #403 from Staffbase/security/pin-readme-versions-by-sha

0x46616c6b · web-flow · commit 424e5517e0f4 · 2026-02-24T15:47:59.000+01:00
security: pin README workflow references by commit SHA
diff --git a/.github/workflows/versions.yml b/.github/workflows/versions.yml
@@ -12,9 +12,17 @@ jobs:
     steps:
       - name: Checkout the source code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          fetch-tags: true
+
+      - name: Get release SHA
+        id: get_sha
+        run: echo "sha=$(git rev-list -n 1 ${{ github.ref_name }})" >> "$GITHUB_OUTPUT"
+
       - name: Find and Replace old versions
         run: |
-          sed -i -E 's/(v[0-9]+.[0-9]+.[0-9]+)/${{ github.ref_name }}/g' README.md
+          sed -i -E 's/@[a-f0-9]{40}  # v[0-9]+\.[0-9]+\.[0-9]+/@${{ steps.get_sha.outputs.sha }}  # ${{ github.ref_name }}/g' README.md
+          sed -i -E 's/@v[0-9]+\.[0-9]+\.[0-9]+/@${{ steps.get_sha.outputs.sha }}  # ${{ github.ref_name }}/g' README.md
 
       - name: Get App Token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94  # v2.2.0
diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ on: ...
 
 jobs:
   <action name>:
-    uses: Staffbase/gha-workflows/.github/workflows/template_*.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_*.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions: ...  # see individual examples below
     with: ...
 ```
@@ -42,7 +42,7 @@ on:
 
 jobs:
   dependabot:
-    uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions: {}
     with:
       # optional: ⚠️ only enable the force merge if you want to do the merge just now
@@ -78,7 +78,7 @@ on:
 
 jobs:
   autodev:
-    uses: Staffbase/gha-workflows/.github/workflows/template_autodev.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_autodev.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -124,7 +124,7 @@ on:
 
 jobs:
   changeset-check:
-    uses: Staffbase/gha-workflows/.github/workflows/template_changeset_check.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_changeset_check.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
       pull-requests: write
@@ -149,7 +149,7 @@ on:
 
 jobs:
   changeset-release:
-    uses: Staffbase/gha-workflows/.github/workflows/template_changeset_release.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_changeset_release.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -189,7 +189,7 @@ on:
 
 jobs:
   flaky-tests:
-    uses: Staffbase/gha-workflows/.github/workflows/template_flaky_tests.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_flaky_tests.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions: {}
     with:
       # identifier for the slack channel
@@ -224,7 +224,7 @@ on: [push]
 
 jobs:
   gitops:
-    uses: Staffbase/gha-workflows/.github/workflows/template_gitops.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_gitops.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -313,7 +313,7 @@ on:
 
 jobs:
   jira_annotate:
-    uses: Staffbase/gha-workflows/.github/workflows/template_jira_tagging.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_jira_tagging.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -348,7 +348,7 @@ on:
 
 jobs:
   ld_code_references:
-    uses: Staffbase/gha-workflows/.github/workflows/template_launchdarkly_code_references.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_launchdarkly_code_references.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -375,7 +375,7 @@ on:
 
 jobs:
   block:
-    uses: Staffbase/gha-workflows/.github/workflows/template_merge_block.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_merge_block.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       pull-requests: write
     with:
@@ -405,7 +405,7 @@ on:
 
 jobs:
   update_release_draft:
-    uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: write
       pull-requests: read
@@ -453,7 +453,7 @@ on:
 
 jobs:
   new_version:
-    uses: Staffbase/gha-workflows/.github/workflows/template_release_version.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_release_version.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -490,7 +490,7 @@ on: [pull_request]
 
 jobs:
   trufflehog:
-    uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
 ```
@@ -511,7 +511,7 @@ on:
 
 jobs:
   stale:
-    uses: Staffbase/gha-workflows/.github/workflows/template_stale.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_stale.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: write
       pull-requests: write
@@ -552,7 +552,7 @@ on:
 
 jobs:
   techdocs:
-    uses: Staffbase/gha-workflows/.github/workflows/template_techdocs_monorepo.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_techdocs_monorepo.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     secrets:
@@ -583,7 +583,7 @@ on:
 
 jobs:
   techdocs:
-    uses: Staffbase/gha-workflows/.github/workflows/template_techdocs.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_techdocs.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
     with:
@@ -615,7 +615,7 @@ on: [pull_request]
 
 jobs:
   terraform:
-    uses: Staffbase/gha-workflows/.github/workflows/template_terraform_format.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_terraform_format.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
       pull-requests: write
@@ -651,7 +651,7 @@ on:
 
 jobs:
   yamllint:
-    uses: Staffbase/gha-workflows/.github/workflows/template_yaml.yml@v11.1.0
+    uses: Staffbase/gha-workflows/.github/workflows/template_yaml.yml@4a95cf9b92fb10df9707c8dbe852b7060d9105f7  # v11.1.0
     permissions:
       contents: read
       checks: write
