Skip to content

[ci] Use SHAs instead of tags for 3rd-party github actions #3822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 21, 2025
Merged

[ci] Use SHAs instead of tags for 3rd-party github actions #3822

merged 1 commit into from
Mar 21, 2025

Conversation

@maru-ava
Copy link
Contributor

@maru-ava maru-ava commented Mar 21, 2025

Why this should be merged

We should be able to trust that built-in actions (actions/*) have stable tags, but for everything else a SHA should be preferred to a tag to avoid the possibility of a supply-chain attack.

How this works

Updates 3rd party github action references to use SHAs.

How this was tested

CI

Need to be documented in RELEASES.md?

N/A

@maru-ava
[ci] Use SHAs instead of tags for 3rd-party github actions
5eb68b3 
We should be able to trust that built-in actions (actions/*) have
stable tags, but for everything else a SHA should be preferred to a
tag to avoid the possibility of a supply-chain attack.
@maru-ava maru-ava added the ci This focuses on changes to the CI process label Mar 21, 2025
@maru-ava maru-ava self-assigned this Mar 21, 2025
@github-project-automation github-project-automation bot moved this to Backlog 🗄️ in avalanchego Mar 21, 2025
@maru-ava maru-ava moved this from Backlog 🗄️ to In Review 👀 in avalanchego Mar 21, 2025
ARR4N
ARR4N approved these changes Mar 21, 2025
View reviewed changes
Copy link
Contributor

@ARR4N ARR4N left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't manually cross-checked the SHAs vs exact versions. Happy to if you'd like but didn't think it was necessary.

@StephenButtolph StephenButtolph added this pull request to the merge queue Mar 21, 2025
Merged via the queue into master with commit 1773484 Mar 21, 2025
24 checks passed
@StephenButtolph StephenButtolph deleted the ci-use-action-shas branch March 21, 2025 18:02
@github-project-automation github-project-automation bot moved this from In Review 👀 to Done ✅ in avalanchego Mar 21, 2025
@maru-ava maru-ava mentioned this pull request Oct 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ARR4N ARR4N ARR4N approved these changes

@StephenButtolph StephenButtolph StephenButtolph approved these changes

Assignees

@maru-ava maru-ava

Labels

ci This focuses on changes to the CI process

Projects

avalanchego
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@maru-ava @ARR4N @StephenButtolph