Skip to content

Commit 4d21104

Browse files
authored
Pin SHA of third-party GitHub Actions (#677)
The full-version Git tags used by Actions are mutable (as seen in recent events in the wider GitHub Actions community), so pinning third-party Actions to a SHA is recommended: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions The version tag has been added after the pin as a comment (as a readability aid) in a format that Dependabot will keep up to date: dependabot/dependabot-core#4691 I've also enabled Dependabot grouping for GitHub Actions updates to reduce PR noise. GUS-W-18051077.
1 parent 77984f4 commit 4d21104

File tree

3 files changed

+13
-8
lines changed

3 files changed

+13
-8
lines changed

.github/dependabot.yml

+5
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,8 @@ updates:
44
directory: "/"
55
schedule:
66
interval: "monthly"
7+
groups:
8+
github-actions:
9+
update-types:
10+
- "minor"
11+
- "patch"

.github/workflows/build-test-publish.yml

+7-7
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ jobs:
4141
- name: Checkout
4242
uses: actions/checkout@v4
4343
- name: Install Pack CLI
44-
uses: buildpacks/github-actions/setup-pack@v5.8.8
44+
uses: buildpacks/github-actions/setup-pack@0f05ba41fb74d56ab4cb27485f538a8d65b4122e # v5.8.9
4545
- name: Create builder image
4646
run: pack builder create ${{ matrix.builder }} --config ${{ matrix.builder }}/builder.toml --pull-policy always
4747
# We export the run image too (and not just the generated builder image), since it adds virtually
@@ -87,7 +87,7 @@ jobs:
8787
ref: main
8888
repository: heroku/${{ matrix.language }}-getting-started.git
8989
- name: Install Pack CLI
90-
uses: buildpacks/github-actions/setup-pack@v5.8.8
90+
uses: buildpacks/github-actions/setup-pack@0f05ba41fb74d56ab4cb27485f538a8d65b4122e # v5.8.9
9191
- name: Restore Docker images from the cache
9292
uses: actions/cache/restore@v4
9393
with:
@@ -126,7 +126,7 @@ jobs:
126126
- name: Checkout
127127
uses: actions/checkout@v4
128128
- name: Install Pack CLI
129-
uses: buildpacks/github-actions/setup-pack@v5.8.8
129+
uses: buildpacks/github-actions/setup-pack@0f05ba41fb74d56ab4cb27485f538a8d65b4122e # v5.8.9
130130
with:
131131
# Using an older version of Pack CLI here (that only supports Platform API <= 0.9),
132132
# for testing parity with the Platform API version used by Kodon for Functions:
@@ -210,14 +210,14 @@ jobs:
210210
echo "${REGISTRY_TOKEN}" | docker login '${{ secrets.REGISTRY_HOST }}' -u '${{ secrets.REGISTRY_USER }}' --password-stdin
211211
- name: Configure AWS credentials
212212
if: matrix.tag_ecr_public != ''
213-
uses: aws-actions/configure-aws-credentials@v4
213+
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
214214
with:
215215
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }}
216216
aws-region: ${{ vars.AWS_REGION }}
217217
- name: Log in to Amazon ECR Public
218218
if: matrix.tag_ecr_public != ''
219219
id: login-ecr-public
220-
uses: aws-actions/amazon-ecr-login@v2
220+
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
221221
with:
222222
registry-type: public
223223
- name: Tag builder and push to Docker Hub
@@ -257,13 +257,13 @@ jobs:
257257
- name: Log in to Docker Hub
258258
run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | docker login -u '${{ secrets.DOCKER_HUB_USER }}' --password-stdin
259259
- name: Configure AWS credentials
260-
uses: aws-actions/configure-aws-credentials@v4
260+
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
261261
with:
262262
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }}
263263
aws-region: ${{ vars.AWS_REGION }}
264264
- name: Log in to Amazon ECR Public
265265
id: login-ecr-public
266-
uses: aws-actions/amazon-ecr-login@v2
266+
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
267267
with:
268268
registry-type: public
269269
- name: Create and push manifest lists

.github/workflows/update-lifecycle.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ jobs:
4848
# Note: This step will skip creating a PR if there are no changes to commit.
4949
- name: Create or update pull request
5050
id: pr
51-
uses: peter-evans/create-pull-request@v7.0.7
51+
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
5252
with:
5353
token: ${{ steps.generate-token.outputs.token }}
5454
title: Update lifecycle from v${{ steps.existing-version.outputs.version }} to v${{ steps.latest-version.outputs.version }}

0 commit comments

Comments
 (0)