Skip to content

ci: pin GitHub Actions to full commit SHAs#5349

Open
XananasX7 wants to merge 1 commit into
opencontainers:mainfrom
XananasX7:fix/pin-actions-1782619591
Open

ci: pin GitHub Actions to full commit SHAs#5349
XananasX7 wants to merge 1 commit into
opencontainers:mainfrom
XananasX7:fix/pin-actions-1782619591

Conversation

@XananasX7

Copy link
Copy Markdown

Pin unpinned GitHub Actions to immutable commit SHAs. Defense against supply-chain attacks via mutable tags. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pin unpinned action references to immutable commit SHAs.
Version tags retained as inline comments.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
@cyphar

cyphar commented Jul 15, 2026

Copy link
Copy Markdown
Member

You need to add a Signed-off-by: line to your commit(s) which indicates that you attest the Developer Certificate of Origin a statement about your contributions that you must read before signing (don't worry, it's quite short and easy-to-read). You can add it to your commits with git commit --amend -s, and then doing a git push --force.

NOTE: This is a saved reply. Sorry if it reads as a cookie-cutter response, it was written so that newcomers understand what a "DCO" is and make the process for contributing a little less scary.

@cyphar

cyphar commented Jul 15, 2026

Copy link
Copy Markdown
Member

I wasn't sure if dependabot supported this style (renovate definitely does) but it seems they do support it so there's no real downside. We should probably also go through and fix any zizmor lint failures too...

It should be noted that we explicitly do not use actions for releases or anything else sensitive (I think we only need read permissions globally, though I'm not sure we accurately scope them everywhere) so the risk of supply chain attacks is kinda low.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants