Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hash-pin GitHub Actions and use dependabot to keep them updated #819

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Sep 4, 2023

Fixes #818.

This PR hash-pins all GitHub Actions to ensure their behavior is as expected, protecting the project from supply-chain attacks.

These hashes (and version comments) will be kept up-to-date by dependabot.

ci-release.yml uses crazy-max/ghaction-import-gpg. It was at v3, but the Action is now at v5. The only breaking change was to one argument name, so I've taken the liberty of making that bump.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
@pnacht
Copy link
Contributor Author

pnacht commented Nov 17, 2023

Let me know if this is something the project is interested in. If not, feel free to close!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Hash-pin workflow GitHub Actions
1 participant