Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update all github workflow to use actions tied to sha hashes #15298

Open
Omega359 opened this issue Mar 18, 2025 · 4 comments · May be fixed by #15306 or #15315
Open

Update all github workflow to use actions tied to sha hashes #15298

Omega359 opened this issue Mar 18, 2025 · 4 comments · May be fixed by #15306 or #15315
Assignees
@Jiashu-Hu
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed

Comments

@Omega359
Copy link
Contributor

Omega359 commented Mar 18, 2025
edited
Loading

Is your feature request related to a problem or challenge?

A recent supply chain attack has made it extremely apparent that github workflows should only use actions that are tied to a specific hash, not a version. This applies to any non-github, non-apache action of which there seems to be a few:

an example of how to use a sha hash instead of a version can be seen in the extended.yml file:

uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response
@Omega359 Omega359 added the enhancement New feature or request label Mar 18, 2025
@alamb alamb added the help wanted Extra attention is needed label Mar 18, 2025
@alamb
Copy link
Contributor

alamb commented Mar 18, 2025

Thank you @Omega359 -- I agree this is very important

@alamb alamb added the good first issue Good for newcomers label Mar 18, 2025
@alamb
Copy link
Contributor

alamb commented Mar 18, 2025

I think this is a good first issue as the write up is clear and there is an example to follow

@Jiashu-Hu
Copy link
Contributor

take

@SanjayUG SanjayUG linked a pull request Mar 19, 2025 that will close this issue
Draft
@SanjayUG
Copy link

Hi there,

I just checked this issue and tried to solved it.

Feel free for feedback.

Thank You.

@Jiashu-Hu Jiashu-Hu linked a pull request Mar 19, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jiashu-Hu Jiashu-Hu

Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
4 participants
@Omega359 @alamb @Jiashu-Hu @SanjayUG