Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

github: Pin external GitHub Actions to hashes #107

Merged
merged 5 commits into from
Dec 21, 2022
Merged

Conversation

radeksimko
Copy link
Member

The intention here is to reduce the security risk posed by the supply chain - i.e. externally maintained GitHub Actions.

The expectation is that dependabot will continue to update these hashes as and when new versions become available.

@radeksimko radeksimko requested review from a team, shore, sarahethompson and claire-labry and removed request for a team, shore and sarahethompson December 19, 2022 20:32
@mdeggies
Copy link
Member

Looks good, thanks for doing this. I don't see a dependabot config file, which I believe is needed unless you're opting into it another way. We're adding these across projects, ex: https://github.com/hashicorp/crt-core-helloworld/blob/main/.github/dependabot.yml.

@radeksimko
Copy link
Member Author

@mdeggies Good catch! I've added one to the PR, PTAL.

@radeksimko radeksimko requested review from mdeggies and removed request for claire-labry December 20, 2022 09:58
@radeksimko radeksimko merged commit 31275ae into main Dec 21, 2022
@mdeggies
Copy link
Member

Awesome! Thanks again :)

@radeksimko radeksimko deleted the ci-pin-gh-actions branch December 21, 2022 13:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants