Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Use commit SHAs in workflows #1767

Merged
merged 11 commits into from
Dec 3, 2024
Merged

chore: Use commit SHAs in workflows #1767

merged 11 commits into from
Dec 3, 2024

Conversation

alimpens
Copy link
Contributor

@alimpens alimpens commented Nov 27, 2024
edited
Loading

Describe the pull request

Thank you for contributing to the project!
Please use this template to help us handle your PR smoothly.

What

It changes the version numbers for actions to commit SHAs.

Why

Version numbers for actions are a security risk. They're based on tags, which are mutable. In other words, a maintainer of an action repo can change what code 'v1' points to at will.

See this blog post for more info.

How

Be replacing the version numbers with SHAs, using pin-github-action.

Checklist

Before submitting your pull request, please ensure you have done the following. Check each checkmark if you have done so or if it wasn't necessary:

  • Add or update unit tests
  • Add or update documentation
  • Add or update stories
  • Add or update exports in index.* files
  • Start the PR title with a Conventional Commit prefix, as explained here.

@alimpens alimpens marked this pull request as draft November 27, 2024 11:18
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows November 27, 2024 14:52 Destroyed
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows November 27, 2024 14:55 Destroyed
@alimpens alimpens marked this pull request as ready for review November 27, 2024 14:55
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows November 27, 2024 14:58 Destroyed
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows December 2, 2024 10:03 Destroyed
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows December 2, 2024 10:05 Destroyed
@VincentSmedinga @alimpens
Clarify what we use commit hashes for
54ad627 
Co-authored-by: Aram <37216945+alimpens@users.noreply.github.com>
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows December 2, 2024 13:55 Destroyed
@VincentSmedinga VincentSmedinga mentioned this pull request Dec 2, 2024
Merged
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows December 3, 2024 16:07 Destroyed
@github-actions github-actions bot temporarily deployed to demo-use-shas-in-workflows December 3, 2024 16:12 Destroyed
@VincentSmedinga VincentSmedinga merged commit ff1b1a8 into develop Dec 3, 2024
6 checks passed
@VincentSmedinga VincentSmedinga deleted the task/use-shas-in-workflows branch December 3, 2024 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VincentSmedinga VincentSmedinga VincentSmedinga approved these changes

@dlnr dlnr Awaiting requested review from dlnr

@RubenSibon RubenSibon Awaiting requested review from RubenSibon

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alimpens @VincentSmedinga