Pin actions to a full length commit SHA

- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions >Pin actions to a full length commit SHA >Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions Also, dependabot supports upgrading based on SHA. Signed-off-by: naveensrinivasan <[email protected]>
kubernetes-sigs · Mar 27, 2022 · bb35e3b · bb35e3b
1 parent 89a1613
commit bb35e3b
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 6 deletions.
diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml
@@ -34,7 +34,7 @@ jobs:
       run: make modules
     - name: Update generated code
       run: make generate
-    - uses: EndBug/add-and-commit@v7
+    - uses: EndBug/add-and-commit@8c12ff729a98cfbcd3fe38b49f55eceb98a5ec02 # v7
       name: Commit changes
       with:
         author_name: dependabot[bot]

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 # v2
         with:
           version: v1.44.0
           working-directory: ${{matrix.working-directory}}
diff --git a/.github/workflows/lint-docs.yaml b/.github/workflows/lint-docs.yaml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@master
-    - uses: gaurav-nelson/github-action-markdown-link-check@v1
+    - uses: gaurav-nelson/github-action-markdown-link-check@9710f0fec812ce0a3b98bef4c9d842fc1f39d976 # v1
       with:
         use-quiet-mode: 'yes'
         config-file: .markdownlinkcheck.json
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ jobs:
         run: |
           make release-notes
       - name: Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@4716bde57e0fcda6ce83002e2469b8a90e560573 # v1
         with:
           draft: true
           files: out/*

diff --git a/.github/workflows/update-homebrew-formula-on-release.yml b/.github/workflows/update-homebrew-formula-on-release.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Update Homebrew formula
-        uses: dawidd6/action-homebrew-bump-formula@v3
+        uses: dawidd6/action-homebrew-bump-formula@dd221ff435f42fa8102b5871bb1929af9d76476c # v3
         with:
           token: ${{secrets.HOMEBREW_UPDATE_TOKEN}}
           formula: clusterctl

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -9,6 +9,6 @@ jobs:
     steps:
     - name: Verifier action
       id: verifier
-      uses: kubernetes-sigs/[email protected]
+      uses: kubernetes-sigs/kubebuilder-release-tools@4777888c377a26956f1831d5b9207eea1fa3bf29 # v0.1
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}