Skip to content

ci: pin github action to specific hash #1799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zakiali merged 1 commit into from
Mar 26, 2025
Merged

ci: pin github action to specific hash #1799

zakiali merged 1 commit into from
Mar 26, 2025

Conversation

@oreparaz
Copy link
Contributor

@oreparaz oreparaz commented Mar 20, 2025
edited
Loading

We do not want a compromised github action (or maintainer thereof) to take over the repo's secrets or integrity. This PR pins every action to a full length commit SHA.

This is the way recommended by github [0]. The following tool was used in this PR: https://github.com/mheap/pin-github-action

Example vulnerability that exploits this vector: GHSA-mrrh-fwg8-r2c3 (CVE-2025-30066).

[0] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

@zakiali
Copy link
Collaborator

zakiali commented Mar 25, 2025

@oreparaz Do you mind resolving conflicts and then I can do a quick review after that

michaelneale
michaelneale approved these changes Mar 25, 2025
View reviewed changes
Copy link
Collaborator

@michaelneale michaelneale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great idea and long overdue

@oreparaz oreparaz force-pushed the oscar/2025-03-20/pin-github/action branch from 875c8ac to 1032876 Compare March 26, 2025 08:39
@oreparaz
ci: pin github action to specific hash
b3d0eee 
We do not want a compromised github action (or maintainer thereof) to take over
the repo's secrets or integrity. This PR pins every action to a full length
commit SHA.

This is the way recommended by github [0]. The following tool was used in this
PR: https://github.com/mheap/pin-github-action

[0] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
@oreparaz oreparaz force-pushed the oscar/2025-03-20/pin-github/action branch from 1032876 to b3d0eee Compare March 26, 2025 08:45
@oreparaz
Copy link
Contributor Author

oreparaz commented Mar 26, 2025

👌 resolved conflicts and rebased @zakiali

@zakiali zakiali merged commit 49c5ec9 into block:main Mar 26, 2025
6 checks passed
ahau-square pushed a commit that referenced this pull request May 2, 2025
@oreparaz
ci: pin github action to specific hash (#1799)
06e7746
@bwalding bwalding mentioned this pull request May 12, 2025
Open
@rsb-23 rsb-23 mentioned this pull request Jun 18, 2025
Merged
cbruyndoncx pushed a commit to cbruyndoncx/goose that referenced this pull request Jul 20, 2025
@oreparaz
ci: pin github action to specific hash (block#1799)
4135ff3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelneale michaelneale michaelneale approved these changes

@zakiali zakiali zakiali approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oreparaz @zakiali @michaelneale