Skip to content

Supply chain hardening for GitHub Actions #1401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Supply chain hardening for GitHub Actions #1401

wants to merge 6 commits into from

Conversation

MadsRC
Copy link

@MadsRC MadsRC commented Mar 22, 2025

Fixes Or Enhances

This PR pins the versions of the various GitHub Actions used throughout this project.

Why pin?

Version pinning is an essential security control to defend against supply chain attacks. Recently, a well-known GitHub Action (tj-actions/changed-files) was compromised to leak secrets. Such an attack would be not be successfull if downstream users had pinned their dependencies. More info can be defined here: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

Additional information about pinning GitHub Actions can be found here: https://www.stepsecurity.io/blog/pinning-github-actions-for-enhanced-security-a-complete-guide

Updates

Dependabot is compatible with pinning GitHub Actions and will submit back PR's with new versions pinned. Additionally it should add a comment to the end of the hash (like I've done in the code) so show exactly what version is being used.

Make sure that you've checked the boxes below before you submit PR:

  • Tests exist or have been written that cover this particular change.

@go-playground/validator-maintainers

@MadsRC MadsRC requested a review from a team as a code owner March 22, 2025 13:03
@MadsRC MadsRC closed this Mar 22, 2025
@coveralls
Copy link

coveralls commented Mar 22, 2025
edited
Loading

Coverage Status

coverage: 74.245% (+0.004%) from 74.241%
when pulling dd7011a on MadsRC:supplyChainHardening
into 8592022 on go-playground:master.

@MadsRC MadsRC reopened this Mar 22, 2025
@MadsRC MadsRC closed this Mar 22, 2025
@MadsRC MadsRC deleted the supplyChainHardening branch March 22, 2025 13:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MadsRC @coveralls