Pin github actions version packages with sha#3974
Open
Iznogohul wants to merge 1 commit into
Open
Conversation
Instead of using <action_name>@<version> I have changed all of the to be in the format of <action_name>@<sha256> of the latest current available version of this tag since the github actions have already run in the master blueOS repo so no new versions are getting introduced they are just getting pinned down
|
Bugbot is not enabled for this team, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Prior to this commit all Github Actions packages looked for the current latest major release of package.This could potentially lead to the execution of malicious code if any package maintainer got compromised and new version tags got release or current ones got re-uploaded. So by pinning each and every one this gets eliminated
Changed
Notes:
claude-pr-reviewuses actions/checkout@v4 so this has been changed to the latest v4 version and not the latest available version of actions/checkout.This was done to ensure that nothing will break and the same actions will continue to run.anthropics/claude-code-actionneeds to pinned down since they release ~1-2 versions each day it might need to access latest features of claude actionSummary by Sourcery
Pin GitHub Actions workflow dependencies to specific commit SHAs for more deterministic and secure CI runs.
Build:
CI: