Skip to content

Conversation

zerosnacks
Copy link
Member

@zerosnacks zerosnacks commented Sep 16, 2025

Pinning hashes for dependencies in workflows is a security best practice

Excluded from pinning are actions from the github/* and actions/* given that these are officially managed by Github and are not raised by zizmor

By configuring dependabot with package-ecosystem: "github-actions" it will open a pull request only for updating pinned hashes (not cargo, etc..): https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot#enabling-dependabot-version-updates-for-actions

The <hash> #<branch_name> syntax is what dependabot picks up on

Note: removes unused install_test_binaries shell script as I believe this is unused

@zerosnacks zerosnacks marked this pull request as ready for review September 16, 2025 12:03
@onbjerg onbjerg enabled auto-merge (squash) September 16, 2025 12:23
@onbjerg onbjerg merged commit 6bfac85 into main Sep 16, 2025
18 checks passed
@onbjerg onbjerg deleted the zerosnacks/pin-ci-deps branch September 16, 2025 12:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants