diff options
| author | naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> | 2022-03-18 23:56:02 +0000 |
|---|---|---|
| committer | naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> | 2022-03-28 19:00:16 +0000 |
| commit | 1821eb3837a81bf666ed87e5ccb3da4e190a9aba (patch) | |
| tree | bd9f7fea260a1c602d0c9a77406eac4f3a67b0c2 /.github/workflows/check_cirrus_cron.yml | |
| parent | c2eae35c606382418c6e2ce57c4ab874f1975f21 (diff) | |
| download | podman-1821eb3837a81bf666ed87e5ccb3da4e190a9aba.tar.gz podman-1821eb3837a81bf666ed87e5ccb3da4e190a9aba.tar.bz2 podman-1821eb3837a81bf666ed87e5ccb3da4e190a9aba.zip | |
Pin actions to a full length commit SHA
- Pinned actions by SHA https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
>Pin actions to a full length commit SHA
>Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Also dependabot supports upgrades based on SHA.
Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Diffstat (limited to '.github/workflows/check_cirrus_cron.yml')
| -rw-r--r-- | .github/workflows/check_cirrus_cron.yml | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/.github/workflows/check_cirrus_cron.yml b/.github/workflows/check_cirrus_cron.yml index 5c206ae2f..5704b0b9d 100644 --- a/.github/workflows/check_cirrus_cron.yml +++ b/.github/workflows/check_cirrus_cron.yml @@ -29,7 +29,7 @@ jobs: cron_failures: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 with: persist-credentials: false @@ -61,7 +61,7 @@ jobs: - if: steps.cron.outputs.failures > 0 name: Send failure notification e-mail # Ref: https://github.com/dawidd6/action-send-mail - uses: dawidd6/action-send-mail@v2.2.2 + uses: dawidd6/action-send-mail@a80d851dc950256421f1d1d735a2dc1ef314ac8f # v2.2.2 with: server_address: ${{secrets.ACTION_MAIL_SERVER}} server_port: 465 @@ -73,14 +73,14 @@ jobs: body: file://./artifacts/email_body.txt - if: always() - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2 with: name: ${{ github.job }}_artifacts path: artifacts/* - if: failure() name: Send error notification e-mail - uses: dawidd6/action-send-mail@v2.2.2 + uses: dawidd6/action-send-mail@a80d851dc950256421f1d1d735a2dc1ef314ac8f # v2.2.2 with: server_address: ${{secrets.ACTION_MAIL_SERVER}} server_port: 465 |