New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin actions to a full length commit SHA #231

Open

extiop opened this issue Dec 17, 2024 · 0 comments · May be fixed by #232

Labels

enhancement github_actions

extiop commented Dec 17, 2024

According to https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions, it is essential to pin actions to full length commit SHA to know what actions are used in the CI workflows. Tags can be redirected or edited, hence, only trustable (if we don't trust the author) element that we got is the full length commit SHA.

Adding a comment pointing to the version is appreciated, hence, I plan to implement it this way:

- uses: actions-rs/toolchain@8e603f32c5c6eeca5b1b2d9d1e7464d926082f1d # v1.0.0

cf. actions-rs/toolchain@8e603f3

The text was updated successfully, but these errors were encountered:

extiop added enhancement github_actions labels

extiop linked a pull request

that will close this issue

Pin GitHub actions versions #232

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment