chore: pin GitHub Actions to SHA for supply chain security#2
chore: pin GitHub Actions to SHA for supply chain security#2luis-hong wants to merge 14 commits into
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (12)
WalkthroughGitHub 워크플로 파일 두 개에서 작업(action) 참조를 버전 태그에서 특정 커밋 해시로 변경했습니다. benchmarking.yml에서는 Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
|
||
| jobs: | ||
| security-check: | ||
| uses: Buzzvil/workflows/.github/workflows/security-check.yaml@main |
There was a problem hiding this comment.
- 🚫 Please pin the action by specifying a commit SHA instead of a tag/branch.
Instructions and example for changelogPlease add an entry to Example: ## Unreleased
- pin GitHub Actions to SHA for supply chain security ([#2](https://github.com/Buzzvil/sentry-cocoa/pull/2))If none of the above apply, you can opt out of this check by adding |
…/benchmarking.yml)
…/codeql-analysis.yml)
…/format-code.yml)
…/integration-tests.yml)
…/profile-data-generator.yml)
…/saucelabs-UI-tests.yml)
|
외부 fork 저장소는 SHA 핀닝 일괄 적용 대상에서 제외합니다. 사유: fork 저장소는 org self-hosted runner 접근 제한 및 private reusable workflow 호출 제한으로 security-check CI가 정상 동작하지 않습니다. 필요 시 개별 대응합니다. |
Summary
This PR pins GitHub Actions to specific commit SHAs instead of mutable tags/branches to improve supply chain security.
Changes
.github/workflows/benchmarking.yml: pinned 1 action(s).github/workflows/release.yml: pinned 1 action(s)Why?
Mutable references (
@v2,@main) can be changed by upstream maintainers at any time. SHA pinning ensures reproducible builds and protects against supply chain attacks.References