Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use hashes to pin Actions instead of version tags #250

Open
jhkennedy opened this issue Feb 6, 2025 · 0 comments
Open

Use hashes to pin Actions instead of version tags #250

jhkennedy opened this issue Feb 6, 2025 · 0 comments
Labels
Jira Bug Create a Jira Bug for this issue

Comments

@jhkennedy
Copy link
Contributor

jhkennedy commented Feb 6, 2025
edited by github-actions bot
Loading

Jira: https://asfdaac.atlassian.net/browse/TOOL-3476

Note: The above link is accessible only to members of ASF.

Since CodeQL was enabled for our repos, we've been getting warnings like:

Unpinned tag for a non-immutable Action in workflow

Medium

Unpinned 3rd party Action 'Check links' step uses '[SOME_ACTION]' with ref 'vX.Y.Z', not a pinned commit hash

E.g., https://github.com/ASFHyP3/hyp3-docs/security/code-scanning/32

Dependabot does appear to support updating hash pins, so we could switch to them. This would look like:

- uses: actions/checkout@01aecccf739ca6ff86c0539fbc67a7a5007bbc81 #v2.1.0

Note: dependabot will update the has and trailing version comment: dependabot/dependabot-core#4691 (comment)
@jhkennedy jhkennedy added the Jira Bug Create a Jira Bug for this issue label Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Jira Bug Create a Jira Bug for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jhkennedy