Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin Actions SHAs #101

Merged
merged 2 commits into from
Dec 20, 2022
Merged

Pin Actions SHAs #101

merged 2 commits into from
Dec 20, 2022

Conversation

AlvaroBrey
Copy link
Member

@AlvaroBrey AlvaroBrey commented Dec 20, 2022
edited
Loading

I was going to open an issue for this, but I thought I could just open a PR to discuss it.

Pinning full commit SHAs is best practice for security. We recently did this in the Android repos and
I noticed that some of our workflows come from this repo.

Dependabot should also open PRs for this and update both the SHA and the comment, see this issue

Docs: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Automatically pinned with https://github.com/mheap/pin-github-action and then cleaned up manually.

@AlvaroBrey AlvaroBrey added the 3. to review Waiting for reviews label Dec 20, 2022
skjnldsv
skjnldsv requested changes Dec 20, 2022
View reviewed changes
Copy link
Member

@skjnldsv skjnldsv left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it works with dependabot bumping actions like #100

@AlvaroBrey
Copy link
Member Author

Does it works with dependabot bumping actions like #100

It should, see link in first post

skjnldsv
skjnldsv approved these changes Dec 20, 2022
View reviewed changes
Copy link
Member

@skjnldsv skjnldsv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure then.
I find it a bit more confusing to really see what happens; but so be it 👍

@skjnldsv skjnldsv merged commit 9eaae19 into master Dec 20, 2022
@delete-merged-branch delete-merged-branch bot deleted the pin-actions-sha branch December 20, 2022 14:06
@nickvergessen
Copy link
Member

Sure then.
I find it a bit more confusing to really see what happens; but so be it +1

exactly my thoughts :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skjnldsv skjnldsv skjnldsv approved these changes

@nickvergessen nickvergessen nickvergessen approved these changes

Assignees
No one assigned
Labels
3. to review Waiting for reviews
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AlvaroBrey @nickvergessen @skjnldsv