Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

github: Pin external GitHub Actions to hashes #107

Merged
merged 5 commits into from
Dec 21, 2022
Merged

github: Pin external GitHub Actions to hashes #107

merged 5 commits into from
Dec 21, 2022

Conversation

radeksimko
Copy link
Member

The intention here is to reduce the security risk posed by the supply chain - i.e. externally maintained GitHub Actions.

The expectation is that dependabot will continue to update these hashes as and when new versions become available.

@radeksimko radeksimko requested review from a team, shore, sarahethompson and claire-labry and removed request for a team, shore and sarahethompson December 19, 2022 20:32
@mdeggies
Copy link
Member

Looks good, thanks for doing this. I don't see a dependabot config file, which I believe is needed unless you're opting into it another way. We're adding these across projects, ex: https://github.com/hashicorp/crt-core-helloworld/blob/main/.github/dependabot.yml.

@radeksimko
Copy link
Member Author

@mdeggies Good catch! I've added one to the PR, PTAL.

@radeksimko radeksimko requested review from mdeggies and removed request for claire-labry December 20, 2022 09:58
@radeksimko radeksimko merged commit 31275ae into main Dec 21, 2022
@mdeggies
Copy link
Member

Awesome! Thanks again :)

@radeksimko radeksimko deleted the ci-pin-gh-actions branch December 21, 2022 13:03
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@mdeggies mdeggies mdeggies approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@radeksimko @mdeggies