🌱 security: pin GitHub Actions to commit hashes #4678
Conversation
harekrishnarai
requested review from
justaugustus and
raghavkaul
and removed request for
a team
harekrishnarai
changed the title
harekrishnarai
changed the title
|
Hi @spencerschrock It's safe to pin by hash now. See an example here https://github.com/ramonpetgrave/my-example-gradle-project/actions/runs/15931641240/job/44941968699?pr=13 What's still not okay to pin by hash are the reusable workflows in slsa-github-generator. |
|
Also can you fix DCO and ensure any follow-up commits follow the practice? |
spencerschrock
dismissed
their stale review
Pinning by commit is ok for this action
Pin GitHub Actions to commit hashes for improved security and reproducible builds Signed-off-by: harekrishnarai <786hkr@gmail.com>
- Update slsa-framework/slsa-verifier/actions/installer to v2.7.1 - Use commit hash ea584f4502babc6f60d9bc799dbbb13c1caa9ee6 - Remove date comment as suggested by reviewer Signed-off-by: harekrishnarai <786hkr@gmail.com>
harekrishnarai
force-pushed
the
pin-actions-20250627-085952
branch
from
c2a6b67 to
bd3df6d
Compare
|
Issues resolved:
The PR now addresses all review feedback and is ready for re-review. Thank you @spencerschrock for the guidance! |
harekrishnarai
temporarily deployed
to
integration-test
GitHub Actions
Inactive
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4678 +/- ##
==========================================
+ Coverage 66.80% 68.29% +1.48%
==========================================
Files 230 249 +19
Lines 16602 18884 +2282
==========================================
+ Hits 11091 12896 +1805
- Misses 4808 5129 +321
- Partials 703 859 +156 🚀 New features to boost your workflow:
|
|
@spencerschrock I just updated this branch with main branch, if possible, could you please approve to run the workflows, so that we can proceed to merge? |
harekrishnarai
temporarily deployed
to
integration-test
GitHub Actions
Inactive
3 participants
What
This pull request pins all GitHub Actions in workflow files to specific commit hashes to improve security and ensure reproducible builds. kind of change does this PR introduce?
(Is it a bug fix, feature, docs update, something else?)
What
This pull request pins all GitHub Actions in workflow files to specific commit hashes to improve security and ensure reproducible builds. is the current behavior?
What
This pull request pins all GitHub Actions in workflow files to specific commit hashes to improve security and ensure reproducible builds. is the new behavior (if this is a feature change)?**
Which issue(s) this PR fixes
Special notes for your reviewer
Does this PR introduce a user-facing change?
For user-facing changes, please add a concise, human-readable release note to
the
release-note(In particular, describe what changes users might need to make in their
application as a result of this pull request.)