Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional lint to require that actions are pinned to commit hashes #436

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

mortenson
Copy link

This PR addresses the "Pin Actions to a full length commit SHA" part of #198 by optionally enforcing that actions are pinned to (full) commit hashes.

This can be enabled by setting require-commit-hash to true in actionlint.yaml.

I haven't contributed to this repo before, so please let me know if you'd like any changes!

@@ -284,6 +285,10 @@ var BrandingIcons = map[string]struct{}{
"zoom-out": {},
}

var hashRegex = regexp.MustCompile("^[0-9a-f]{40}$")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could use short hashes as well, but I was almost certain that would conflict with branch names so this seems better.

Copy link
Contributor

@ChrisCarini ChrisCarini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 🎉 👏

Looking forward to seeing this feature incorporated since it is a recommended 'security hardening' best-practice that GitHub states: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

@mortenson
Copy link
Author

@rhysd what do you think? Viable and/or any changes you'd suggest?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants