Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash-pin GitHub Actions #1103

Merged
merged 1 commit into from
Sep 7, 2023
Merged

Hash-pin GitHub Actions #1103

merged 1 commit into from
Sep 7, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Sep 7, 2023

Fixes #1102.

This PR ensures a workflow's behavior isn't disrupted whenever an Action publishes a broken or malicious release by hash-pinning all Actions.

The only exceptions are the cifuzz Actions, which unfortunately have to be kept @master due to how the project's infrastructure is set up.

@pnacht
Hash-pin GitHub Actions
3e445ab 
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
@cowtowncoder
Copy link
Member

Thanks! While I really dislike use of hashes for readability reasons, this is quite ok since:

  1. There's comment on which version hash (allegedly :) ) matches, and
  2. It's auto-updated by Dependabot (... does it add comment too? Too bad if not)
  3. It's for action deps where version doesn't have much significance to me anyway ("just use the latest")

So I think I'll merge this as suggested. Thanks!

@cowtowncoder cowtowncoder merged commit 228d3f5 into FasterXML:2.16 Sep 7, 2023
@pnacht
Copy link
Contributor Author

pnacht commented Sep 8, 2023

  1. It's auto-updated by Dependabot (... does it add comment too? Too bad if not)

Yes, Dependabot will also keep the version comment up-to-date.

@pnacht pnacht mentioned this pull request Sep 8, 2023
Merged
@cowtowncoder
Copy link
Member

  1. It's auto-updated by Dependabot (... does it add comment too? Too bad if not)

Yes, Dependabot will also keep the version comment up-to-date.

Excellent. That's perfect then.

@pnacht pnacht mentioned this pull request Sep 15, 2023
Closed
@cowtowncoder
Copy link
Member

@pnacht I was wondering if you could provide PR to do the same for jackson-databind and jackson-annotations? I like how this has worked here.

This was referenced Oct 16, 2023
Merged
Merged
@pnacht
Copy link
Contributor Author

pnacht commented Oct 16, 2023

Done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cowtowncoder cowtowncoder cowtowncoder approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Hash-pin workflow GitHub Actions
2 participants
@pnacht @cowtowncoder