From ef3ae77f0b830a7d6eeb53e8e6f5a267a77c2149 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Morais?= Date: Mon, 25 Aug 2025 10:35:41 +0200 Subject: [PATCH 1/2] feat: add doc on pinning GitHub actions --- doc/source/getting-started/administration.rst | 1 + doc/source/how-to/repository-protection.rst | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/doc/source/getting-started/administration.rst b/doc/source/getting-started/administration.rst index 4a7c31cb7..59aaaae83 100644 --- a/doc/source/getting-started/administration.rst +++ b/doc/source/getting-started/administration.rst @@ -180,6 +180,7 @@ The PyAnsys core team performs these checks when performing the technical review | |uncheck| :ref:`Branch protection` is enabled. | |uncheck| :ref:`Tag protection` is enabled. | |uncheck| :ref:`Workflow protection` is enabled. + | |uncheck| :ref:`Pin actions with full-length commit SHA` is enabled. .. |check| raw:: html diff --git a/doc/source/how-to/repository-protection.rst b/doc/source/how-to/repository-protection.rst index 88d5a45f7..8ea59ed47 100644 --- a/doc/source/how-to/repository-protection.rst +++ b/doc/source/how-to/repository-protection.rst @@ -132,3 +132,19 @@ their PR workflows do not have to be accepted every time that they intend to run Internal and private repositories are only available to organization users and repository members, respectively. Thus, no specific rules for outside collaborators are needed. + +Pin actions with full-length commit SHA +--------------------------------------- + +Protect your workflows by requiring actions to be pinned to a full-length commit SHA. +To enable the setting **Require actions to be pinned to a full-length commit SHA**, select +**Settings > Actions > General** and see the **Actions permissions** section. + +When this option is active, all GitHub Actions used in workflows must reference a specific +commit hash, for example `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2` instead +of a moving tag such as `v4`. The main advantage of this option is supply chain security. Indeed, tags +are mutable in the sense that an attacker who gains access to a project, or even a legitimate maintainer +updating a tag, could introduce breaking changes or malicious code without you noticing. Pinning to a +commit SHA eliminates that risk by locking the dependency to a known version. On top of that, since the +action's code cannot change silently in the background, it guarantees that every workflow run uses the +exact same version of the action. From 839d48c8e52e7adb640c772ec894982aeec279ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Morais?= Date: Mon, 25 Aug 2025 16:16:51 +0200 Subject: [PATCH 2/2] refactor: add GitHub best practices link --- doc/source/how-to/repository-protection.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/source/how-to/repository-protection.rst b/doc/source/how-to/repository-protection.rst index 8ea59ed47..b309c3d37 100644 --- a/doc/source/how-to/repository-protection.rst +++ b/doc/source/how-to/repository-protection.rst @@ -147,4 +147,5 @@ are mutable in the sense that an attacker who gains access to a project, or even updating a tag, could introduce breaking changes or malicious code without you noticing. Pinning to a commit SHA eliminates that risk by locking the dependency to a known version. On top of that, since the action's code cannot change silently in the background, it guarantees that every workflow run uses the -exact same version of the action. +exact same version of the action. For more details and additional best practices, you can consult the +`official GitHub documentation on securely using third-party actions `_.