[StepSecurity] ci: Harden GitHub Actions #4838
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
|
@Nikhil-Ladha can you update the commit to include a little more details, and remove the |
| @@ -11,7 +11,7 @@ jobs: | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - name: take the issue | |||
| uses: bdougie/take-action@main | |||
| uses: bdougie/take-action@1439165ac45a7461c2d89a59952cd7d941964b87 # main | |||
There was a problem hiding this comment.
I wonder how this works together with dependabot updates...
There was a problem hiding this comment.
Even I have the same doubt.
There was a problem hiding this comment.
Seems like dependabot is configured to work in accordance with this: ossf/scorecard#4348 it is from the ossf/scorecard repo itself.
There was a problem hiding this comment.
Also, I can't update the commit id/PR title for this PR so I will have to open a new PR for this change.
This is the commit title,description I am planning for the new PR:
ci: Harden GitHub Actions
Update GitHub actions to use full length commit ids for third-party actions to reduce security risk in case of vulnerabilities.
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
There was a problem hiding this comment.
As lint job is failing, lets open a new PR with same content and fix all the problems
There was a problem hiding this comment.
Created a separate PR #4850.
|
Seems like I don't have permissions to close this PR, can someone please do that on my behalf? |
Summary
This pull request is created by StepSecurity at the request of @Nikhil-Ladha. Please merge the Pull Request to incorporate the requested changes. Please tag @Nikhil-Ladha on your message if you have any questions related to the PR.
Security Fixes
Pinned Dependencies
GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Feedback
For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io