Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pin SHA of third-party GitHub Actions #677

Merged
merged 1 commit into from
Mar 17, 2025
+13 −8
Merged

Pin SHA of third-party GitHub Actions #677

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading
Loading status checks…
Pin SHA of third-party GitHub Actions 
The full-version Git tags used by Actions are mutable (as seen in recent
events in the wider GitHub Actions community), so pinning third-party
Actions to a SHA is recommended:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

The version tag has been added after the pin as a comment (as a
readability aid) in a format that Dependabot will keep up to date:
dependabot/dependabot-core#4691

I've also enabled Dependabot grouping for GitHub Actions updates
to reduce PR noise.

GUS-W-18051077.
@edmorley
edmorley committed Mar 17, 2025

Verified

This commit was signed with the committer’s verified signature.
edmorley Ed Morley
GPG key ID: 66656A8EC41D1569
Verified
Learn about vigilant mode
commit da1c292f1dc1f5766fd86dad1c1bcf9ba894c9da
5 changes: 5 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -4,3 +4,8 @@ updates:
directory: "/"
schedule:
interval: "monthly"
groups:
github-actions:
update-types:
- "minor"
- "patch"
14 changes: 7 additions & 7 deletions .github/workflows/build-test-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -41,7 +41,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Install Pack CLI
uses: buildpacks/github-actions/setup-pack@v5.8.8
uses: buildpacks/github-actions/setup-pack@0f05ba41fb74d56ab4cb27485f538a8d65b4122e # v5.8.9
- name: Create builder image
run: pack builder create ${{ matrix.builder }} --config ${{ matrix.builder }}/builder.toml --pull-policy always
# We export the run image too (and not just the generated builder image), since it adds virtually
@@ -87,7 +87,7 @@ jobs:
ref: main
repository: heroku/${{ matrix.language }}-getting-started.git
- name: Install Pack CLI
uses: buildpacks/github-actions/setup-pack@v5.8.8
uses: buildpacks/github-actions/setup-pack@0f05ba41fb74d56ab4cb27485f538a8d65b4122e # v5.8.9
- name: Restore Docker images from the cache
uses: actions/cache/restore@v4
with:
@@ -126,7 +126,7 @@ jobs:
- name: Checkout
uses: actions/checkout@v4
- name: Install Pack CLI
uses: buildpacks/github-actions/setup-pack@v5.8.8
uses: buildpacks/github-actions/setup-pack@0f05ba41fb74d56ab4cb27485f538a8d65b4122e # v5.8.9
with:
# Using an older version of Pack CLI here (that only supports Platform API <= 0.9),
# for testing parity with the Platform API version used by Kodon for Functions:
@@ -210,14 +210,14 @@ jobs:
echo "${REGISTRY_TOKEN}" | docker login '${{ secrets.REGISTRY_HOST }}' -u '${{ secrets.REGISTRY_USER }}' --password-stdin
- name: Configure AWS credentials
if: matrix.tag_ecr_public != ''
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }}
aws-region: ${{ vars.AWS_REGION }}
- name: Log in to Amazon ECR Public
if: matrix.tag_ecr_public != ''
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
with:
registry-type: public
- name: Tag builder and push to Docker Hub
@@ -257,13 +257,13 @@ jobs:
- name: Log in to Docker Hub
run: echo '${{ secrets.DOCKER_HUB_TOKEN }}' | docker login -u '${{ secrets.DOCKER_HUB_USER }}' --password-stdin
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ECR_ROLE }}
aws-region: ${{ vars.AWS_REGION }}
- name: Log in to Amazon ECR Public
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@v2
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
with:
registry-type: public
- name: Create and push manifest lists
2 changes: 1 addition & 1 deletion .github/workflows/update-lifecycle.yml
View file
Original file line number Diff line number Diff line change
@@ -48,7 +48,7 @@ jobs:
# Note: This step will skip creating a PR if there are no changes to commit.
- name: Create or update pull request
id: pr
uses: peter-evans/create-pull-request@v7.0.7
uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
with:
token: ${{ steps.generate-token.outputs.token }}
title: Update lifecycle from v${{ steps.existing-version.outputs.version }} to v${{ steps.latest-version.outputs.version }}