Skip to content

Commit

Permalink
tools: use hashes instead of tags for external actions (#43284)
Browse files Browse the repository at this point in the history
Using tags is a security risk, as they can be updated to point to
anything else.

Refs: nodejs/corepack#117 (comment)

PR-URL: nodejs/node#43284
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
  • Loading branch information
aduh95 authored and guangwong committed Oct 10, 2022
1 parent a9bd7ce commit e741a6d
Show file tree
Hide file tree
Showing 7 changed files with 17 additions and 7 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/authors.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ jobs:
fetch-depth: '0' # This is required to actually get all the authors
persist-credentials: false
- run: tools/update-authors.mjs # Run the AUTHORS tool
- uses: gr2m/create-or-update-pull-request-action@v1 # Create a PR or update the Action's existing PR
- uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/find-inactive-collaborators.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ jobs:
run: tools/find-inactive-collaborators.mjs

- name: Open pull request
uses: gr2m/create-or-update-pull-request-action@v1
- uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/find-inactive-tsc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,9 @@ jobs:
run: tools/find-inactive-tsc.mjs >> $GITHUB_ENV

- name: Open pull request
uses: gr2m/create-or-update-pull-request-action@v1
- uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/license-builder.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@ jobs:
with:
persist-credentials: false
- run: ./tools/license-builder.sh # Run the license builder tool
- uses: gr2m/create-or-update-pull-request-action@v1.x # Create a PR or update the Action's existing PR
- uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/linters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ jobs:
- uses: actions/checkout@v3
with:
persist-credentials: false
- uses: mszostok/codeowners-validator@v0.6.0
- uses: mszostok/codeowners-validator@7f3f5e28c6d7b8dfae5731e54ce2272ca384592f
with:
checks: files,duppatterns
lint-pr-url:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/notify-force-push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Slack Notification
uses: rtCamp/action-slack-notify@master
uses: rtCamp/action-slack-notify@12e36fc18b0689399306c2e0b3e0f2978b7f1ee7
env:
SLACK_COLOR: '#DE512A'
SLACK_ICON: https://github.com/nodejs.png?size=48
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/tools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,9 @@ jobs:
with:
persist-credentials: false
- run: ${{ matrix.run }}
- uses: gr2m/create-or-update-pull-request-action@v1 # Create a PR or update the Action's existing PR
- uses: gr2m/create-or-update-pull-request-action@466b1b84c3291c6c69bc56377a6de54a1f4a297c
# Creates a PR or update the Action's existing PR, or
# no-op if the base branch is already up-to-date.
env:
GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
with:
Expand Down

0 comments on commit e741a6d

Please sign in to comment.