ci: pin GitHub Actions to full commit SHAs#5349
Conversation
Pin unpinned action references to immutable commit SHAs. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
|
You need to add a NOTE: This is a saved reply. Sorry if it reads as a cookie-cutter response, it was written so that newcomers understand what a "DCO" is and make the process for contributing a little less scary. |
|
I wasn't sure if dependabot supported this style (renovate definitely does) but it seems they do support it so there's no real downside. We should probably also go through and fix any It should be noted that we explicitly do not use actions for releases or anything else sensitive (I think we only need read permissions globally, though I'm not sure we accurately scope them everywhere) so the risk of supply chain attacks is kinda low. |
Pin unpinned GitHub Actions to immutable commit SHAs. Defense against supply-chain attacks via mutable tags. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions