Pin GitHub Actions to commit hashes to prevent supply chain attacks#2
Closed
Pin GitHub Actions to commit hashes to prevent supply chain attacks#2
Conversation
- Pin actions/checkout to 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2) - Pin actions/setup-node to 49933ea5288caeca8642d1e84afbd3f7d6820020 (v4.4.0) - Pin actions/upload-artifact to 50769540e7f4bd5e21e526ee35c689e35e0d6874 (v4.4.0) - Pin actions/github-script to 60a0d83039c74a4aee543508d2ffcb1c3799cdea (v7.0.1) This prevents potential supply chain attacks by ensuring specific versions are used.
- Pin actions/checkout to 11bd71901bbe5b1630ceea73d27597364c9af683 (v4.2.2) - Pin actions/cache to 6849a6489940f00c2f30c0fb92c6274307ccb58a (v4.1.2) - Pin actions/upload-artifact to 50769540e7f4bd5e21e526ee35c689e35e0d6874 (v4.4.0) - Pin vapor/swiftly-action to afdde2275f2b916c2704383f3a6b72032adb488c (v0.2.0) This completes the security hardening of all GitHub Actions workflows.
- Update actions/cache to 5a3ec84eff668545956fd18022155c47e93e2684 (v4.2.3) - Update actions/upload-artifact to ea165f8d65b6e75b540449e92b4886f43607fa02 (v4.6.2) This ensures we're using the most recent stable versions with security fixes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Background
This PR changes GitHub Actions in our workflows from version tags to specific commit hashes to prevent potential supply chain attacks.
Reference: https://www.wiz.io/ja-jp/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
Changes
Updated Actions:
actions/checkout@v4→actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683(v4.2.2)actions/setup-node@v4→actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020(v4.4.0)actions/cache@v4→actions/cache@5a3ec84eff668545956fd18022155c47e93e2684(v4.2.3)actions/upload-artifact@v4→actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02(v4.6.2)actions/github-script@v7→actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea(v7.0.1)vapor/swiftly-action@v0.2.0→vapor/swiftly-action@afdde2275f2b916c2704383f3a6b72032adb488c(v0.2.0)Files Modified:
.github/workflows/release.yml.github/workflows/ci.ymlSecurity Benefits
Maintenance
Testing
All existing CI/CD functionality remains unchanged. The workflows will continue to work exactly as before, but with enhanced security.